Home > mailing lists

Re: Re: [COMMITTERS] pgsql: Add support for matching wildcard server certificates to the new - Mailing list pgsql-hackers

From	Robert Haas
Subject	Re: Re: [COMMITTERS] pgsql: Add support for matching wildcard server certificates to the new
Date	December 1, 2008 14:02:45
Msg-id	603c8f070812010702k7c3d57ean92408e7f4fad30d7@mail.gmail.com Whole thread Raw
In response to	Re: Re: [COMMITTERS] pgsql: Add support for matching wildcard server certificates to the new (Magnus Hagander <magnus@hagander.net>)
Responses	Re: Re: [COMMITTERS] pgsql: Add support for matching wildcard server certificates to the new (Magnus Hagander <magnus@hagander.net>)
List	pgsql-hackers

Tree view

>> 2. I can't see any possible way that matching a single component could
>> create security holes that would be eliminated by matching multiple
>> components, but I'm more skeptical about the other direction.  What
>> about the old DNS hack where you create a DNS record for
>> example.com.sample.com and hijack connections intended for example.com
>> made by people whose default DNS suffix is sample.com?  There may be
>> reason to believe this isn't a problem, but matching less seems like
>> it can't possibly be a bad thing.
>
> Right, but that's all about being careful not to give out certs like
> "*.postgres.*".

Errrr...no.  The point is that if you've hacked sample.com's DNS
server, you might have a cert for *.sample.com, but you might NOT have
a cert for example.com.

...Robert

pgsql-hackers by date:

From: "David E. Wheeler"
Date: 01 December 2008, 13:57:01
Subject: Re: New to_timestamp implementation is pretty strict

From: "David E. Wheeler"
Date: 01 December 2008, 14:03:08
Subject: Re: New to_timestamp implementation is pretty strict

Re: Re: [COMMITTERS] pgsql: Add support for matching wildcard server certificates to the new - Mailing list pgsql-hackers

Previous

Next