Обсуждение: BUG #14130: SSL certifiate's Subject Alternative Name isn't check correctly
BUG #14130: SSL certifiate's Subject Alternative Name isn't check correctly
От
sergei.agalakov@getmyle.com
Дата:
The following bug has been logged on the website: Bug reference: 14130 Logged by: Sergei Agalakov Email address: sergei.agalakov@getmyle.com PostgreSQL version: 9.5.2 Operating system: CentOS 7 Description: CentOS 7, OpenSSL 1.0.2h, Postgres 9.5.2 1. Created server certificate signed by local CA with three Subject Alternative Name values $ openssl x509 -in server.crt -text -noout ... X509v3 Subject Alternative Name: DNS:myle-db001a-small.c.myle-gce-proj-01.internal, IP Address:162.222.177.29, IP Address:10.240.0.3 ... 2. Created and copied root.crt for local CA certificate 3. Switched SSL mode to verify-full $export PGSSLMODE=verify-full 4. $psql -h 10.240.0.3 -U postgres psql: server certificate for "myle-db001a-small.c.myle-gce-proj-01.internal" does not match host name "10.240.0.3" According to E.3.3.1.4. SSL in http://www.postgresql.org/docs/9.5/static/release-9-5.html PG 9.5 should check all Subject Alternative Names to match in the certificate. The same implies in http://www.postgresql.org/docs/9.5/static/libpq-ssl.html "In verify-full mode, the host name is matched against the certificate's Subject Alternative Name attribute(s), or against the Common Name attribute if no Subject Alternative Name of type dNSName is present." An expected result was a SSL connection because one of SAN attributes matched host name. Instead a connection was refused. Thank you, Sergei Agalakov
Re: BUG #14130: SSL certifiate's Subject Alternative Name isn't check correctly
От
Andres Freund
Дата:
Hi, On 2016-05-09 17:08:10 +0000, sergei.agalakov@getmyle.com wrote: > 4. $psql -h 10.240.0.3 -U postgres > psql: server certificate for "myle-db001a-small.c.myle-gce-proj-01.internal" > does not match host name "10.240.0.3" Does psql -h myle-db001a-small.c.myle-gce-proj-01.internal work? - Andres
Re: BUG #14130: SSL certifiate's Subject Alternative Name isn't check correctly
От
Heikki Linnakangas
Дата:
On 09/05/16 20:08, sergei.agalakov@getmyle.com wrote: > CentOS 7, OpenSSL 1.0.2h, Postgres 9.5.2 > 1. Created server certificate signed by local CA with three Subject > Alternative Name values > $ openssl x509 -in server.crt -text -noout > ... > X509v3 Subject Alternative Name: > DNS:myle-db001a-small.c.myle-gce-proj-01.internal, IP > Address:162.222.177.29, IP Address:10.240.0.3 > ... > 2. Created and copied root.crt for local CA certificate > 3. Switched SSL mode to verify-full > $export PGSSLMODE=verify-full > 4. $psql -h 10.240.0.3 -U postgres > psql: server certificate for "myle-db001a-small.c.myle-gce-proj-01.internal" > does not match host name "10.240.0.3" > According to E.3.3.1.4. SSL in > http://www.postgresql.org/docs/9.5/static/release-9-5.html > PG 9.5 should check all Subject Alternative Names to match in the > certificate. The same implies in > http://www.postgresql.org/docs/9.5/static/libpq-ssl.html > "In verify-full mode, the host name is matched against the certificate's > Subject Alternative Name attribute(s), or against the Common Name attribute > if no Subject Alternative Name of type dNSName is present." > An expected result was a SSL connection because one of SAN attributes > matched host name. Instead a connection was refused. PostgreSQL only pays attention to "DNS" SAN attributes, the IP addresses are ignored. It would be a nice feature if it did, but that hasn't been implemented. - Heikki