Re: implement subject alternative names support for SSL connections

Поиск
Список
Период
Сортировка
От Alexey Klyukin
Тема Re: implement subject alternative names support for SSL connections
Дата
Msg-id CAAS3ty+xU4rEqUFXiqfyq5wNY8k=sme28DvyfVgjOkae1LE+Ew@mail.gmail.com
обсуждение исходный текст
Ответ на Re: implement subject alternative names support for SSL connections  (Heikki Linnakangas <hlinnakangas@vmware.com>)
Ответы Re: implement subject alternative names support for SSL connections  (Heikki Linnakangas <hlinnakangas@vmware.com>)
Список pgsql-hackers
Дерево обсуждения
On Wed, Aug 20, 2014 at 11:53 AM, Heikki Linnakangas <hlinnakangas@vmware.com> wrote:
On 07/25/2014 07:10 PM, Alexey Klyukin wrote:
Greetings,

I'd like to propose a patch for checking subject alternative names entry in
the SSL certificate for DNS names during SSL authentication.

Thanks! I just ran into this missing feature last week, while working on my SSL test suite. So +1 for having the feature.

This patch needs to be rebased over current master branch, thanks to my refactoring that moved all OpenSSL-specific stuff to be-secure-openssl.c.

The patch is rebased against fe-secure-openssl.c (that's where verify_peer_name_matches_certificate appeared in the master branch), I've changed the condition in the for loop to be less confusing (thanks to comments from Magnus and Tom), making an explicit break once a match is detected. 

Note that It generates a lot of OpenSSL related warnings on my system (66 total) with clang, complaining about 
$X is deprecated: first deprecated in OS X 10.7 [-Wdeprecated-declarations], but it does so for most other SSL functions, so I don't think it's a problem introduced by this patch.

Sincerely,
Alexey.
Вложения

В списке pgsql-hackers по дате отправления:

Предыдущее
От: Haribabu Kommi
Дата:
Сообщение: Re: Parallel Sequence Scan doubts
Следующее
От: Tom Lane
Дата:
Сообщение: Re: failures on barnacle (CLOBBER_CACHE_RECURSIVELY) because of memory leaks