BUG #14130: SSL certifiate's Subject Alternative Name isn't check correctly
| От | sergei.agalakov@getmyle.com |
|---|---|
| Тема | BUG #14130: SSL certifiate's Subject Alternative Name isn't check correctly |
| Дата | |
| Msg-id | 20160509170810.2690.41247@wrigleys.postgresql.org обсуждение исходный текст |
| Ответы |
Re: BUG #14130: SSL certifiate's Subject Alternative Name
isn't check correctly
Re: BUG #14130: SSL certifiate's Subject Alternative Name isn't check correctly |
| Список | pgsql-bugs |
The following bug has been logged on the website:
Bug reference: 14130
Logged by: Sergei Agalakov
Email address: sergei.agalakov@getmyle.com
PostgreSQL version: 9.5.2
Operating system: CentOS 7
Description:
CentOS 7, OpenSSL 1.0.2h, Postgres 9.5.2
1. Created server certificate signed by local CA with three Subject
Alternative Name values
$ openssl x509 -in server.crt -text -noout
...
X509v3 Subject Alternative Name:
DNS:myle-db001a-small.c.myle-gce-proj-01.internal, IP
Address:162.222.177.29, IP Address:10.240.0.3
...
2. Created and copied root.crt for local CA certificate
3. Switched SSL mode to verify-full
$export PGSSLMODE=verify-full
4. $psql -h 10.240.0.3 -U postgres
psql: server certificate for "myle-db001a-small.c.myle-gce-proj-01.internal"
does not match host name "10.240.0.3"
According to E.3.3.1.4. SSL in
http://www.postgresql.org/docs/9.5/static/release-9-5.html
PG 9.5 should check all Subject Alternative Names to match in the
certificate. The same implies in
http://www.postgresql.org/docs/9.5/static/libpq-ssl.html
"In verify-full mode, the host name is matched against the certificate's
Subject Alternative Name attribute(s), or against the Common Name attribute
if no Subject Alternative Name of type dNSName is present."
An expected result was a SSL connection because one of SAN attributes
matched host name. Instead a connection was refused.
Thank you,
Sergei Agalakov
В списке pgsql-bugs по дате отправления: