Re: [PATCH] Accept IP addresses in server certificate SANs - Mailing list pgsql-hackers
From | Kyotaro Horiguchi |
---|---|
Subject | Re: [PATCH] Accept IP addresses in server certificate SANs |
Date | |
Msg-id | 20220323.142007.1816604521514641243.horikyota.ntt@gmail.com Whole thread Raw |
In response to | Re: [PATCH] Accept IP addresses in server certificate SANs (Jacob Champion <pchampion@vmware.com>) |
Responses |
Re: [PATCH] Accept IP addresses in server certificate SANs
(Jacob Champion <pchampion@vmware.com>)
|
List | pgsql-hackers |
At Tue, 22 Mar 2022 20:42:37 +0000, Jacob Champion <pchampion@vmware.com> wrote in > Thanks, looks like I had some old header dependencies left over from > several versions ago. Fixed in v9. Thanks! Looks perfect. > v9 contains the bare minimum but I don't think it's quite enough. How > much of the behavior (and edge cases) do you think we should detail > here? All of it? I tried to write out the doc part. What do you think about it? regards. -- Kyotaro Horiguchi NTT Open Source Software Center diff --git a/doc/src/sgml/libpq.sgml b/doc/src/sgml/libpq.sgml index 3998b1781b..13e3e63768 100644 --- a/doc/src/sgml/libpq.sgml +++ b/doc/src/sgml/libpq.sgml @@ -8342,16 +8342,31 @@ ldap://ldap.acme.com/cn=dbserver,cn=hosts?pgconnectinfo?base?(objectclass=*) <para> In <literal>verify-full</literal> mode, the host name is matched against the - certificate's Subject Alternative Name attribute(s), or against the - Common Name attribute if no Subject Alternative Name of type <literal>dNSName</literal> is + certificate's Subject Alternative Name attribute(s) (SAN), or against the + Common Name attribute if no SAN of type <literal>dNSName</literal> is present. If the certificate's name attribute starts with an asterisk (<literal>*</literal>), the asterisk will be treated as a wildcard, which will match all characters <emphasis>except</emphasis> a dot (<literal>.</literal>). This means the certificate will not match subdomains. If the connection is made using an IP address instead of a host name, the - IP address will be matched (without doing any DNS lookups). + IP address will be matched (without doing any DNS lookups) against SANs of + type <literal>iPAddress</literal> or <literal>dNSName</literal>. If no + <literal>ipAddress</literal> SAN is present and no + matching <literal>dNSName</literal> SAN is present, the host IP address is + matched against the Common Name attribute. </para> + <note> + <para> + For backward compatibility with earlier versions of PostgreSQL, the host + IP address is verified in a manner different + from <ulink url="https://tools.ietf.org/html/rfc6125">RFC 6125</ulink>. + The host IP address is always matched against <literal>dNSName</literal> + SANs as well as <literal>iPAdress</literal> SANs, and can be matched + against the Common Name attribute for a certain condition. + </para> + </note> + <para> To allow server certificate verification, one or more root certificates must be placed in the file <filename>~/.postgresql/root.crt</filename>
pgsql-hackers by date: