Re: [PATCH] Accept IP addresses in server certificate SANs - Mailing list pgsql-hackers

From Kyotaro Horiguchi
Subject Re: [PATCH] Accept IP addresses in server certificate SANs
Date
Msg-id 20220322.133202.1699013732440256188.horikyota.ntt@gmail.com
Whole thread Raw
In response to Re: [PATCH] Accept IP addresses in server certificate SANs  (Kyotaro Horiguchi <horikyota.ntt@gmail.com>)
Responses Re: [PATCH] Accept IP addresses in server certificate SANs
List pgsql-hackers
At Fri, 18 Mar 2022 16:38:57 +0900 (JST), Kyotaro Horiguchi <horikyota.ntt@gmail.com> wrote in 
> At Thu, 17 Mar 2022 21:55:07 +0000, Jacob Champion <pchampion@vmware.com> wrot> Thanks!  .. and some
nitpicks..(Sorry)
> 
> fe-secure-common.c doesn't need netinet/in.h.
> 
> 
> +++ b/src/include/utils/inet.h
> .. 
> +#include "common/inet-common.h"
> 
> I'm not sure about the project policy on #include practice, but I
> think it is the common practice not to include headers that are not
> required by the file itself.  In this case, fe-secure-common.h itself
> doesn't need the include.  Instead, fe-secure-openssl.c and
> fe-secure-common.c needs the include.

I noticed that this doesn't contain doc changes.

https://www.postgresql.org/docs/current/libpq-ssl.html

> In verify-full mode, the host name is matched against the
> certificate's Subject Alternative Name attribute(s), or against the
> Common Name attribute if no Subject Alternative Name of type dNSName
> is present. If the certificate's name attribute starts with an
> asterisk (*), the asterisk will be treated as a wildcard, which will
> match all characters except a dot (.). This means the certificate will
> not match subdomains. If the connection is made using an IP address
> instead of a host name, the IP address will be matched (without doing
> any DNS lookups).

This refers to dNSName, so we should revise this so that it describes
the new behavior.

regards.

-- 
Kyotaro Horiguchi
NTT Open Source Software Center



pgsql-hackers by date:

Previous
From: Michael Paquier
Date:
Subject: Re: Out-of-tree certificate interferes ssltest
Next
From: Dilip Kumar
Date:
Subject: Re: [Proposal] Fully WAL logged CREATE DATABASE - No Checkpoints