Home > mailing lists

Re: implement subject alternative names support for SSL connections - Mailing list pgsql-hackers

From	Heikki Linnakangas
Subject	Re: implement subject alternative names support for SSL connections
Date	September 15, 2014 16:18:00
Msg-id	5416E6F1.3080907@vmware.com Whole thread Raw
In response to	Re: implement subject alternative names support for SSL connections (Alexey Klyukin <alexk@hintbits.com>)
List	pgsql-hackers

Tree view

On 09/15/2014 01:44 PM, Alexey Klyukin wrote:
>>> Committed, with that change, ie. the CN is not checked if SANs are present.
>
> Actually, I disagree with the way the patch ignores the CN. Currently,
> it skips the
> CN unconditionally if the SubjectAltName section is present. But what
> RFC 6125 says
> is:
>
> "If a subjectAltName extension of type dNSName is present, that MUST
>     be used as the identity.  Otherwise, the (most specific) Common Name
>     field in the Subject field of the certificate MUST be used."
>
> This means that we have to check that at least one dNSName resource is
> present before
> rejecting to examine the CN. Attached is a one-liner (excluding
> comments) that fixes this.

Ok, good catch. Fixed.

- Heikki

pgsql-hackers by date:

From: Heikki Linnakangas
Date: 15 September 2014, 15:42:32
Subject: Re: WAL format and API changes (9.5)

From: Alexander Korotkov
Date: 15 September 2014, 16:58:44
Subject: Triconsistent catalog declaration

Re: implement subject alternative names support for SSL connections - Mailing list pgsql-hackers

Previous

Next