Postgres Pro
Downloads
Home   >   mailing lists

pgsql: libpq: Allow IP address SANs in server certificates - Mailing list pgsql-committers

From Peter Eisentraut
Subject pgsql: libpq: Allow IP address SANs in server certificates
Date
Msg-id E1naHr4-000JOY-FK@gemulon.postgresql.org
Whole thread Raw
List pgsql-committers
Tree view 
libpq: Allow IP address SANs in server certificates

The current implementation supports exactly one IP address in a server
certificate's Common Name, which is brittle (the strings must match
exactly).  This patch adds support for IPv4 and IPv6 addresses in a
server's Subject Alternative Names.

Per discussion on-list:

- If the client's expected host is an IP address, we allow fallback to
  the Subject Common Name if an iPAddress SAN is not present, even if
  a dNSName is present.  This matches the behavior of NSS, in
  violation of the relevant RFCs.

- We also, counter-intuitively, match IP addresses embedded in dNSName
  SANs.  From inspection this appears to have been the behavior since
  the SAN matching feature was introduced in acd08d76.

- Unlike NSS, we don't map IPv4 to IPv6 addresses, or vice-versa.

Author: Jacob Champion <pchampion@vmware.com>
Co-authored-by: Kyotaro Horiguchi <horikyota.ntt@gmail.com>
Co-authored-by: Daniel Gustafsson <daniel@yesql.se>
Discussion: https://www.postgresql.org/message-id/flat/9f5f20974cd3a4091a788cf7f00ab663d5fcdffe.camel@vmware.com

Branch
------
master

Details
-------
https://git.postgresql.org/pg/commitdiff/c1932e542863f0f646f005b3492452acc57c7e66

Modified Files
--------------
configure                                          |   2 +-
configure.ac                                       |   1 +
doc/src/sgml/libpq.sgml                            |  21 ++-
src/include/pg_config.h.in                         |   3 +
src/interfaces/libpq/fe-secure-common.c            | 104 +++++++++++++++
src/interfaces/libpq/fe-secure-common.h            |   4 +
src/interfaces/libpq/fe-secure-openssl.c           | 143 +++++++++++++++++++--
.../ssl/conf/server-cn-and-ip-alt-names.config     |  24 ++++
src/test/ssl/conf/server-ip-alt-names.config       |  19 +++
.../ssl/conf/server-ip-cn-and-alt-names.config     |  21 +++
.../ssl/conf/server-ip-cn-and-dns-alt-names.config |  21 +++
src/test/ssl/ssl/server-cn-and-ip-alt-names.crt    |  20 +++
src/test/ssl/ssl/server-cn-and-ip-alt-names.key    |  27 ++++
src/test/ssl/ssl/server-ip-alt-names.crt           |  19 +++
src/test/ssl/ssl/server-ip-alt-names.key           |  27 ++++
src/test/ssl/ssl/server-ip-cn-and-alt-names.crt    |  19 +++
src/test/ssl/ssl/server-ip-cn-and-alt-names.key    |  27 ++++
.../ssl/ssl/server-ip-cn-and-dns-alt-names.crt     |  20 +++
.../ssl/ssl/server-ip-cn-and-dns-alt-names.key     |  27 ++++
src/test/ssl/sslfiles.mk                           |   4 +
src/test/ssl/t/001_ssltests.pl                     |  98 ++++++++++++++
src/tools/msvc/Solution.pm                         |   1 +
22 files changed, 635 insertions(+), 17 deletions(-)

pgsql-committers by date:

Previous
From: Robert Haas
Date:
Subject: pgsql: docs: Changing column type doesn't always require an index rebui
Next
From: Tom Lane
Date:
Subject: pgsql: Set minimum required version of zstd as 1.4.0.