The following bug has been logged online:
Bug reference: 5868
Logged by: Christopher Head
Email address: chris2k01@hotmail.com
PostgreSQL version: 9.0.1
Operating system: Linux amd64
Description: Client ignores X.509 subject alternative name
Details:
This is more of a wishlist/feature-request than an actual bug. The X.509v3
certificate standard allows an extension field called the "subject
alternative name". This field can contain a list of names that should be
considered as legitimate names for the entity to which the certificate
belongs. Specifically, if an alternative name is of the form
"DNS:some.domain.name.tld", then the certificate should be treated as though
legitimate for the domain "some.domain.name.tld", just as if that domain
were in the common name field of the subject distinguished name. Right now,
the psql client (probably libpq) doesn't look at this certificate extension;
rather, it only checks if the subject distinguished name common name field
matches the requested hostname. It would be nice if the alternative names
could be checked also (modern Web browsers all seem to check the extension
fine when using the certificate for HTTPS). What this allows is for the
common name to have a human-readable name instead of a hostname, with the
hostnames stuffed into the alternative names list. While this is pretty much
irrelevant for PostgreSQL connections, when sharing a certificate with a Web
server, browsers will show the human-readable distinguished name, which is
nice. Therefore, it would be preferable for the PostgreSQL clients to also
honour this field.