Tom Lane wrote:
> Magnus Hagander <magnus@hagander.net> writes:
>
>> (I don't believe OpenSSL does this verification either, because AFAICS
>> OpenSSL only ever sees the IP address of the server, and not the FQDN)
>>
>
> In common usages libpq doesn't have the FQDN of the server either.
> To impose such a requirement, we'd have to forbid naming the server
> by IP address or via a domain-search-path abbreviation.
>
> regards, tom lane
>
Well, right now, SSL does nothing for you, so you have to do something.
It's OK, SSL isn't doing a lot for a lot of people, but this is the
beginning of us calling people out on that.
You can handle IP address and domain-search-path by having an option for
explicitly declaring the subject name to be expected at the other side
of the SSL connection. In other words, sever the DNS/FQDN link, and
just explicitly say "however I reach that host over there, I expect
database.backend.com".
--Dan