Re: [PATCH] Accept IP addresses in server certificate SANs

Поиск
Список
Период
Сортировка
От Kyotaro Horiguchi
Тема Re: [PATCH] Accept IP addresses in server certificate SANs
Дата
Msg-id 20211217.165430.655740392355518222.horikyota.ntt@gmail.com
обсуждение исходный текст
Ответ на Re: [PATCH] Accept IP addresses in server certificate SANs  (Kyotaro Horiguchi <horikyota.ntt@gmail.com>)
Ответы Re: [PATCH] Accept IP addresses in server certificate SANs  (Jacob Champion <pchampion@vmware.com>)
Список pgsql-hackers
Дерево обсуждения 
Sorry for the silly mistake.

At Fri, 17 Dec 2021 15:40:10 +0900 (JST), Kyotaro Horiguchi <horikyota.ntt@gmail.com> wrote in 
> > NSS departs slightly from the spec and will additionally try to match
> > an IP address against the CN, but only if there are no iPAddresses in
> > the SAN. It roughly matches the logic for DNS names.
> 
> OpenSSL seems different. X509_check_host() tries SAN then CN iff SAN
> doesn't exist.  X509_check_ip() tries SAN and completely ignores
> iPAdress and CN.

OpenSSL seems different. X509_check_host() tries SAN then CN iff SAN
doesn't exist.  X509_check_ip() tries iPAddress and completely ignores
CN.

regards.

-- 
Kyotaro Horiguchi
NTT Open Source Software Center

В списке pgsql-hackers по дате отправления:

Предыдущее
От: Kyotaro Horiguchi
Дата:
Сообщение: Re: Allow escape in application_name
Следующее
От: Greg Stark
Дата:
Сообщение: Re: pg_dump versus ancient server versions