At Fri, 18 Mar 2022 16:38:57 +0900 (JST), Kyotaro Horiguchi <horikyota.ntt@gmail.com> wrote in
> At Thu, 17 Mar 2022 21:55:07 +0000, Jacob Champion <pchampion@vmware.com> wrot> Thanks! .. and some
nitpicks..(Sorry)
>
> fe-secure-common.c doesn't need netinet/in.h.
>
>
> +++ b/src/include/utils/inet.h
> ..
> +#include "common/inet-common.h"
>
> I'm not sure about the project policy on #include practice, but I
> think it is the common practice not to include headers that are not
> required by the file itself. In this case, fe-secure-common.h itself
> doesn't need the include. Instead, fe-secure-openssl.c and
> fe-secure-common.c needs the include.
I noticed that this doesn't contain doc changes.
https://www.postgresql.org/docs/current/libpq-ssl.html
> In verify-full mode, the host name is matched against the
> certificate's Subject Alternative Name attribute(s), or against the
> Common Name attribute if no Subject Alternative Name of type dNSName
> is present. If the certificate's name attribute starts with an
> asterisk (*), the asterisk will be treated as a wildcard, which will
> match all characters except a dot (.). This means the certificate will
> not match subdomains. If the connection is made using an IP address
> instead of a host name, the IP address will be matched (without doing
> any DNS lookups).
This refers to dNSName, so we should revise this so that it describes
the new behavior.
regards.
--
Kyotaro Horiguchi
NTT Open Source Software Center