Re: implement subject alternative names support for SSL connections

On 08/25/2014 01:07 PM, Andres Freund wrote:

On 2014-08-25 13:02:50 +0300, Heikki Linnakangas wrote:

But actually, I wonder if we should delegate the whole hostname matching to
OpenSSL? There's a function called X509_check_host for that, although it's
new in OpenSSL 1.1.0 so we'd need to add a configure test for that and keep
the current code to handle older versions.

Given that we're about to add support for other SSL implementations I'm
not sure that that's a good idea. IIRC there exist quite a bit of
different interpretations about what denotes a valid cert between the
libraries.

As long as just this patch is concerned, I agree it's easier to just implement it ourselves, but if we want to start implementing more complicated rules, then I'd rather not get into that business at all, and let the SSL library vendor deal with the bugs and CVEs.

I guess we'll go ahead with this patch for now, but keep this in mind if someone wants to complicate the rules further in the future.