On 2014-08-25 13:02:50 +0300, Heikki Linnakangas wrote:
> But actually, I wonder if we should delegate the whole hostname matching to
> OpenSSL? There's a function called X509_check_host for that, although it's
> new in OpenSSL 1.1.0 so we'd need to add a configure test for that and keep
> the current code to handle older versions.
Given that we're about to add support for other SSL implementations I'm
not sure that that's a good idea. IIRC there exist quite a bit of
different interpretations about what denotes a valid cert between the
libraries. Doesn't sound fun to me.
Greetings,
Andres Freund
-- Andres Freund http://www.2ndQuadrant.com/PostgreSQL Development, 24x7 Support, Training &
Services