Re: [PATCH] Accept IP addresses in server certificate SANs
В списке pgsql-hackers по дате отправления:
| От | Jacob Champion |
|---|---|
| Тема | Re: [PATCH] Accept IP addresses in server certificate SANs |
| Дата | |
| Msg-id | 5878cc4f261dfac70999be7c10d80e898449e388.camel@vmware.com обсуждение |
| Ответ на | Re: [PATCH] Accept IP addresses in server certificate SANs (Kyotaro Horiguchi <horikyota.ntt@gmail.com>) |
| Ответы |
Re: [PATCH] Accept IP addresses in server certificate SANs
|
| Список | pgsql-hackers |
On Tue, 2022-03-22 at 13:32 +0900, Kyotaro Horiguchi wrote: > At Fri, 18 Mar 2022 16:38:57 +0900 (JST), Kyotaro Horiguchi <horikyota.ntt@gmail.com> wrote in > > > > fe-secure-common.c doesn't need netinet/in.h. > > > > > > +++ b/src/include/utils/inet.h > > .. > > +#include "common/inet-common.h" > > > > I'm not sure about the project policy on #include practice, but I > > think it is the common practice not to include headers that are not > > required by the file itself. In this case, fe-secure-common.h itself > > doesn't need the include. Instead, fe-secure-openssl.c and > > fe-secure-common.c needs the include. Thanks, looks like I had some old header dependencies left over from several versions ago. Fixed in v9. > I noticed that this doesn't contain doc changes. > > https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.postgresql.org%2Fdocs%2Fcurrent%2Flibpq-ssl.html&data=04%7C01%7Cpchampion%40vmware.com%7Cb25566c0f0124a30221908da0bbcec13%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C637835203290105956%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=sZuKc9UxmW1oZQij%2F%2F91rkEF57BZiQebkXtvEt%2FdROU%3D&reserved=0 > > > In verify-full mode, the host name is matched against the > > certificate's Subject Alternative Name attribute(s), or against the > > Common Name attribute if no Subject Alternative Name of type dNSName > > is present. If the certificate's name attribute starts with an > > asterisk (*), the asterisk will be treated as a wildcard, which will > > match all characters except a dot (.). This means the certificate will > > not match subdomains. If the connection is made using an IP address > > instead of a host name, the IP address will be matched (without doing > > any DNS lookups). > > This refers to dNSName, so we should revise this so that it describes > the new behavior. v9 contains the bare minimum but I don't think it's quite enough. How much of the behavior (and edge cases) do you think we should detail here? All of it? Thanks, --Jacob
В списке pgsql-hackers по дате отправления:
Сайт использует файлы cookie для корректной работы и повышения удобства. Нажимая кнопку «Принять» или продолжая пользоваться сайтом, вы соглашаетесь на их использование в соответствии с Политикой в отношении обработки cookie ООО «ППГ», в том числе на передачу данных из файлов cookie сторонним статистическим и рекламным службам. Вы можете управлять настройками cookie через параметры вашего браузера