Postgres Pro
Downloads
Home   >   mailing lists

Re: [PATCH] Accept IP addresses in server certificate SANs - Mailing list pgsql-hackers

From Kyotaro Horiguchi
Subject Re: [PATCH] Accept IP addresses in server certificate SANs
Date
Msg-id 20220323.142007.1816604521514641243.horikyota.ntt@gmail.com
Whole thread Raw
In response to Re: [PATCH] Accept IP addresses in server certificate SANs  (Jacob Champion <pchampion@vmware.com>)
Responses Re: [PATCH] Accept IP addresses in server certificate SANs  (Jacob Champion <pchampion@vmware.com>)
List pgsql-hackers
Tree view 
At Tue, 22 Mar 2022 20:42:37 +0000, Jacob Champion <pchampion@vmware.com> wrote in 
> Thanks, looks like I had some old header dependencies left over from
> several versions ago. Fixed in v9.

Thanks!  Looks perfect.

> v9 contains the bare minimum but I don't think it's quite enough. How
> much of the behavior (and edge cases) do you think we should detail
> here? All of it?

I tried to write out the doc part.  What do you think about it?

regards.

-- 
Kyotaro Horiguchi
NTT Open Source Software Center
diff --git a/doc/src/sgml/libpq.sgml b/doc/src/sgml/libpq.sgml
index 3998b1781b..13e3e63768 100644
--- a/doc/src/sgml/libpq.sgml
+++ b/doc/src/sgml/libpq.sgml
@@ -8342,16 +8342,31 @@ ldap://ldap.acme.com/cn=dbserver,cn=hosts?pgconnectinfo?base?(objectclass=*)
 
   <para>
    In <literal>verify-full</literal> mode, the host name is matched against the
-   certificate's Subject Alternative Name attribute(s), or against the
-   Common Name attribute if no Subject Alternative Name of type <literal>dNSName</literal> is
+   certificate's Subject Alternative Name attribute(s) (SAN), or against the
+   Common Name attribute if no SAN of type <literal>dNSName</literal> is
    present.  If the certificate's name attribute starts with an asterisk
    (<literal>*</literal>), the asterisk will be treated as
    a wildcard, which will match all characters <emphasis>except</emphasis> a dot
    (<literal>.</literal>). This means the certificate will not match subdomains.
    If the connection is made using an IP address instead of a host name, the
-   IP address will be matched (without doing any DNS lookups).
+   IP address will be matched (without doing any DNS lookups) against SANs of
+   type <literal>iPAddress</literal> or <literal>dNSName</literal>.  If no
+   <literal>ipAddress</literal> SAN is present and no
+   matching <literal>dNSName</literal> SAN is present, the host IP address is
+   matched against the Common Name attribute.
   </para>
 
+  <note>
+    <para>
+      For backward compatibility with earlier versions of PostgreSQL, the host
+      IP address is verified in a manner different
+      from <ulink url="https://tools.ietf.org/html/rfc6125">RFC 6125</ulink>.
+      The host IP address is always matched against <literal>dNSName</literal>
+      SANs as well as <literal>iPAdress</literal> SANs, and can be matched
+      against the Common Name attribute for a certain condition.
+   </para>
+  </note>
+
   <para>
    To allow server certificate verification, one or more root certificates
    must be placed in the file <filename>~/.postgresql/root.crt</filename>

pgsql-hackers by date:

Previous
From: "David G. Johnston"
Date:
Subject: Re: Window Function "Run Conditions"
Next
From: Michael Paquier
Date:
Subject: Re: Add pg_freespacemap extension sql test