Postgres Pro
Downloads
Home   >   mailing lists

Re: [PATCH] Accept IP addresses in server certificate SANs - Mailing list pgsql-hackers

From Jacob Champion
Subject Re: [PATCH] Accept IP addresses in server certificate SANs
Date
Msg-id 5878cc4f261dfac70999be7c10d80e898449e388.camel@vmware.com
Whole thread Raw
In response to Re: [PATCH] Accept IP addresses in server certificate SANs  (Kyotaro Horiguchi <horikyota.ntt@gmail.com>)
Responses Re: [PATCH] Accept IP addresses in server certificate SANs
List pgsql-hackers
Tree view 
On Tue, 2022-03-22 at 13:32 +0900, Kyotaro Horiguchi wrote:
> At Fri, 18 Mar 2022 16:38:57 +0900 (JST), Kyotaro Horiguchi <horikyota.ntt@gmail.com> wrote in
> > 
> > fe-secure-common.c doesn't need netinet/in.h.
> > 
> > 
> > +++ b/src/include/utils/inet.h
> > ..
> > +#include "common/inet-common.h"
> > 
> > I'm not sure about the project policy on #include practice, but I
> > think it is the common practice not to include headers that are not
> > required by the file itself.  In this case, fe-secure-common.h itself
> > doesn't need the include.  Instead, fe-secure-openssl.c and
> > fe-secure-common.c needs the include.

Thanks, looks like I had some old header dependencies left over from
several versions ago. Fixed in v9.

> I noticed that this doesn't contain doc changes.
> 
>
https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.postgresql.org%2Fdocs%2Fcurrent%2Flibpq-ssl.html&data=04%7C01%7Cpchampion%40vmware.com%7Cb25566c0f0124a30221908da0bbcec13%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C637835203290105956%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=sZuKc9UxmW1oZQij%2F%2F91rkEF57BZiQebkXtvEt%2FdROU%3D&reserved=0
> 
> > In verify-full mode, the host name is matched against the
> > certificate's Subject Alternative Name attribute(s), or against the
> > Common Name attribute if no Subject Alternative Name of type dNSName
> > is present. If the certificate's name attribute starts with an
> > asterisk (*), the asterisk will be treated as a wildcard, which will
> > match all characters except a dot (.). This means the certificate will
> > not match subdomains. If the connection is made using an IP address
> > instead of a host name, the IP address will be matched (without doing
> > any DNS lookups).
> 
> This refers to dNSName, so we should revise this so that it describes
> the new behavior.

v9 contains the bare minimum but I don't think it's quite enough. How
much of the behavior (and edge cases) do you think we should detail
here? All of it?

Thanks,
--Jacob
Attachment

pgsql-hackers by date:

Previous
From: Andrew Dunstan
Date:
Subject: Re: New Object Access Type hooks
Next
From: Robert Haas
Date:
Subject: Re: [Proposal] Fully WAL logged CREATE DATABASE - No Checkpoints