git.postgresql.org Git - postgresql.git/commitdiff

git projects / postgresql.git / commitdiff

Follow the RFCs more closely in libpq server certificate hostname check.

author Heikki Linnakangas <heikki.linnakangas@iki.fi>

2014年9月15日 13:14:24 +0000 (16:14 +0300)

committer Heikki Linnakangas <heikki.linnakangas@iki.fi>

2014年9月15日 13:16:06 +0000 (16:16 +0300)

The RFCs say that the CN must not be checked if a subjectAltName extension
of type dNSName is present. IOW, if subjectAltName extension is present,
but there are no dNSNames, we can still check the CN.

Alexey Klyukin

src/interfaces/libpq/fe-secure-openssl.c patch | blob | blame | history

diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c

index 98d02b6b6345da61141741d60549426bf6146f08..78aa46de2f3d5c4404ec4dcbf632c8fb74afba63 100644 (file)

--- a/src/interfaces/libpq/fe-secure-openssl.c

+++ b/src/interfaces/libpq/fe-secure-openssl.c

@@ -626,12 +626,13 @@ verify_peer_name_matches_certificate(PGconn *conn)

sk_GENERAL_NAME_free(peer_san);

}

- * If there is no subjectAltName extension, check the Common Name.

+ * If there is no subjectAltName extension of type dNSName, check the

+ * Common Name.

- * (Per RFC 2818 and RFC 6125, if the subjectAltName extension is present,

- * the CN must be ignored.)

+ * (Per RFC 2818 and RFC 6125, if the subjectAltName extension of type

+ * dNSName is present, the CN must be ignored.)

- else

+ if (names_examined == 0)

{

X509_NAME *subject_name;

This is the main PostgreSQL git repository.

RSS Atom