On 08/25/2014 01:07 PM, Andres Freund wrote:
> On 2014-08-25 13:02:50 +0300, Heikki Linnakangas wrote:
>> But actually, I wonder if we should delegate the whole hostname matching to
>> OpenSSL? There's a function called X509_check_host for that, although it's
>> new in OpenSSL 1.1.0 so we'd need to add a configure test for that and keep
>> the current code to handle older versions.
>
> Given that we're about to add support for other SSL implementations I'm
> not sure that that's a good idea. IIRC there exist quite a bit of
> different interpretations about what denotes a valid cert between the
> libraries.
Really? That sounds scary. I can imagine that some libraries support
more complicated stuff like Internationalized Domain Names, while others
don't, but as long as they all behave the same with the basic stuff, I
think that's acceptable.
> Doesn't sound fun to me.
As long as just this patch is concerned, I agree it's easier to just
implement it ourselves, but if we want to start implementing more
complicated rules, then I'd rather not get into that business at all,
and let the SSL library vendor deal with the bugs and CVEs.
I guess we'll go ahead with this patch for now, but keep this in mind if
someone wants to complicate the rules further in the future.
- Heikki
