Обсуждение: BUG #14130: SSL certifiate's Subject Alternative Name isn't check correctly

The following bug has been logged on the website:

Bug reference:      14130
Logged by:          Sergei Agalakov
Email address:      sergei.agalakov@getmyle.com
PostgreSQL version: 9.5.2
Operating system:   CentOS 7
Description:

CentOS 7, OpenSSL 1.0.2h, Postgres 9.5.2
1. Created server certificate signed by local CA with three Subject
Alternative Name values
$ openssl x509 -in server.crt -text -noout
...
X509v3 Subject Alternative Name:
                DNS:myle-db001a-small.c.myle-gce-proj-01.internal, IP
Address:162.222.177.29, IP Address:10.240.0.3
...
2. Created and copied root.crt for local CA certificate
3. Switched SSL mode to verify-full
$export PGSSLMODE=verify-full
4. $psql -h 10.240.0.3 -U postgres
psql: server certificate for "myle-db001a-small.c.myle-gce-proj-01.internal"
does not match host name "10.240.0.3"
According to E.3.3.1.4. SSL in
http://www.postgresql.org/docs/9.5/static/release-9-5.html
PG 9.5 should check all Subject Alternative Names to match in the
certificate. The same implies in
http://www.postgresql.org/docs/9.5/static/libpq-ssl.html
"In verify-full mode, the host name is matched against the certificate's
Subject Alternative Name attribute(s), or against the Common Name attribute
if no Subject Alternative Name of type dNSName is present."
An expected result was a SSL connection because one of SAN attributes
matched host name. Instead a connection was refused.

Thank you,

Sergei Agalakov

Hi,

On 2016-05-09 17:08:10 +0000, sergei.agalakov@getmyle.com wrote:
> 4. $psql -h 10.240.0.3 -U postgres
> psql: server certificate for "myle-db001a-small.c.myle-gce-proj-01.internal"
> does not match host name "10.240.0.3"

Does psql -h myle-db001a-small.c.myle-gce-proj-01.internal work?

- Andres

On 09/05/16 20:08, sergei.agalakov@getmyle.com wrote:
> CentOS 7, OpenSSL 1.0.2h, Postgres 9.5.2
> 1. Created server certificate signed by local CA with three Subject
> Alternative Name values
> $ openssl x509 -in server.crt -text -noout
> ...
> X509v3 Subject Alternative Name:
>                  DNS:myle-db001a-small.c.myle-gce-proj-01.internal, IP
> Address:162.222.177.29, IP Address:10.240.0.3
> ...
> 2. Created and copied root.crt for local CA certificate
> 3. Switched SSL mode to verify-full
> $export PGSSLMODE=verify-full
> 4. $psql -h 10.240.0.3 -U postgres
> psql: server certificate for "myle-db001a-small.c.myle-gce-proj-01.internal"
> does not match host name "10.240.0.3"
> According to E.3.3.1.4. SSL in
> http://www.postgresql.org/docs/9.5/static/release-9-5.html
> PG 9.5 should check all Subject Alternative Names to match in the
> certificate. The same implies in
> http://www.postgresql.org/docs/9.5/static/libpq-ssl.html
> "In verify-full mode, the host name is matched against the certificate's
> Subject Alternative Name attribute(s), or against the Common Name attribute
> if no Subject Alternative Name of type dNSName is present."
> An expected result was a SSL connection because one of SAN attributes
> matched host name. Instead a connection was refused.

PostgreSQL only pays attention to "DNS" SAN attributes, the IP addresses
are ignored. It would be a nice feature if it did, but that hasn't been
implemented.

- Heikki