open-dsi
/
postgres
mirror of https://github.com/postgres/postgres
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Follow the RFCs more closely in libpq server certificate hostname check.

Browse Source 
The RFCs say that the CN must not be checked if a subjectAltName extension
of type dNSName is present. IOW, if subjectAltName extension is present,
but there are no dNSNames, we can still check the CN.

Alexey Klyukin
pull/14/head
Heikki Linnakangas 11 years ago
parent 2df465e696
commit 58e70cf9fb
1 changed files with 5 additions and 4 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 9
      src/interfaces/libpq/fe-secure-openssl.c

9
src/interfaces/libpq/fe-secure-openssl.c
Unescape View File

@ -626,12 +626,13 @@ verify_peer_name_matches_certificate(PGconn *conn)
sk_GENERAL_NAME_free(peer_san);
}
/*
* If there is no subjectAltName extension, check the Common Name.
* If there is no subjectAltName extension of type dNSName, check the
* Common Name.
*
* (Per RFC 2818 and RFC 6125, if the subjectAltName extension is present,
* the CN must be ignored.)
* (Per RFC 2818 and RFC 6125, if the subjectAltName extension of type
* dNSName is present, the CN must be ignored.)
*/
else
if (names_examined == 0)
{
X509_NAME *subject_name;

Write Preview
Loading…
Cancel
Save