since-v6.diff.txt
text/plain
Filename: since-v6.diff.txt
Type: text/plain
Part: 0
commit 51052e322f4d4e4f75d3cf3d000a363244696013
Author: Jacob Champion <pchampion@vmware.com>
Date: Tue Mar 15 16:02:15 2022 -0700
squash! libpq: allow IP address SANs in server certs
Per discussion on list, add tests for the (counter-intuitive) standing
behavior that matches IP addresses embedded in dNSName SANs.
diff --git a/src/test/ssl/conf/server-ip-in-dnsname.config b/src/test/ssl/conf/server-ip-in-dnsname.config
new file mode 100644
index 0000000000..b15649aef7
--- /dev/null
+++ b/src/test/ssl/conf/server-ip-in-dnsname.config
@@ -0,0 +1,18 @@
+# An OpenSSL format CSR config file for creating a server certificate.
+#
+
+[ req ]
+distinguished_name = req_distinguished_name
+req_extensions = v3_req
+prompt = no
+
+[ req_distinguished_name ]
+OU = PostgreSQL test suite
+
+# For Subject Alternative Names
+[ v3_req ]
+subjectAltName = @alt_names
+
+# Normally IP addresses should not go into a dNSName.
+[ alt_names ]
+DNS.1 = 192.0.2.1
diff --git a/src/test/ssl/ssl/server-ip-in-dnsname.crt b/src/test/ssl/ssl/server-ip-in-dnsname.crt
new file mode 100644
index 0000000000..78ad8d99c8
--- /dev/null
+++ b/src/test/ssl/ssl/server-ip-in-dnsname.crt
@@ -0,0 +1,70 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 2315416547509162496 (0x2022031515585200)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN = Test CA for PostgreSQL SSL regression test server certs
+ Validity
+ Not Before: Mar 15 22:58:52 2022 GMT
+ Not After : Jul 31 22:58:52 2049 GMT
+ Subject: OU = PostgreSQL test suite
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public-Key: (2048 bit)
+ Modulus:
+ 00:ca:67:e5:b3:f5:fc:e7:c1:41:1f:f2:bc:e9:0e:
+ 07:3c:40:ac:4d:63:d5:84:a1:55:ad:a9:72:3f:3d:
+ eb:e0:95:0c:48:15:37:91:e5:bb:3e:ca:1d:4f:c9:
+ 63:33:59:08:01:db:e5:60:07:ba:f5:f1:29:ea:23:
+ e1:38:b9:6d:ed:4a:b2:a3:b4:98:dd:69:f9:13:0d:
+ ed:59:42:a4:2a:5b:d0:05:93:cf:8c:fe:23:c4:d4:
+ 85:26:67:9a:08:21:1e:f7:d6:e1:17:dc:64:c0:9c:
+ 1e:ad:6f:7a:f5:53:0f:14:7f:70:06:c3:3d:8a:60:
+ 04:20:f9:17:f4:99:31:1c:8c:0f:0e:41:ec:82:cb:
+ 99:fb:74:7a:a0:35:9c:2a:9a:bf:2a:81:08:66:6f:
+ c7:5a:25:f0:de:41:7d:57:6b:0d:7a:7f:ac:de:7d:
+ f7:b9:21:05:64:11:67:c8:3c:e0:56:72:15:95:df:
+ a7:0a:79:ed:eb:b4:38:64:03:cd:91:57:a0:42:f6:
+ b7:83:95:95:de:bb:2b:98:dc:72:55:95:c4:76:3a:
+ 14:67:07:8c:2b:f2:aa:ce:3c:3c:23:ce:47:ce:1a:
+ 9d:9c:23:1a:ca:95:39:2e:b6:e7:4f:c3:58:a0:50:
+ 3b:82:b2:86:44:d5:7f:40:16:fc:80:86:48:c3:8a:
+ 90:09
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Subject Alternative Name:
+ DNS:192.0.2.1
+ Signature Algorithm: sha256WithRSAEncryption
+ c8:00:01:f4:58:92:84:a5:b3:cd:d1:08:a1:37:a4:85:50:0e:
+ 56:2f:88:b1:b0:10:02:a3:d3:88:00:69:12:9c:a7:8e:79:51:
+ 06:e6:fb:e0:3a:76:b4:86:34:1c:39:c8:2d:23:5a:02:0c:b8:
+ 54:2d:c8:c2:bb:0c:62:21:6e:b2:42:7b:4e:6b:3c:a8:d2:ca:
+ 28:26:bd:21:12:6d:96:7e:2a:6f:22:94:2c:e9:6f:44:d4:e4:
+ dc:b3:ad:b8:04:05:5f:90:0c:2b:e9:64:f6:57:0a:08:00:f7:
+ 10:0f:69:d1:b4:84:21:49:42:11:f4:9e:d0:e5:66:f3:b9:0c:
+ 3b:a6:d8:50:84:17:d6:fd:43:d6:c3:bb:da:8d:e9:74:af:57:
+ 5f:95:b7:b4:0a:0a:79:58:63:5f:a7:59:18:cb:e4:1f:5d:6f:
+ d8:8e:4b:2d:64:43:f5:28:59:be:4c:5e:7c:bb:1a:c8:0e:66:
+ 1b:a1:2f:04:7a:b5:11:10:64:22:c6:28:db:23:40:1f:5e:34:
+ a1:c6:d8:b2:4b:ad:eb:6d:da:68:dc:2d:01:3e:3f:58:c7:65:
+ 6d:5a:2e:14:d2:aa:1e:7f:f8:8b:27:12:41:08:bb:c4:ff:de:
+ fe:76:e3:dd:2b:1d:00:92:43:96:03:d5:6e:7a:79:16:2e:9e:
+ fd:ed:43:3c
+-----BEGIN CERTIFICATE-----
+MIIC/DCCAeSgAwIBAgIIICIDFRVYUgAwDQYJKoZIhvcNAQELBQAwQjFAMD4GA1UE
+Aww3VGVzdCBDQSBmb3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHNl
+cnZlciBjZXJ0czAeFw0yMjAzMTUyMjU4NTJaFw00OTA3MzEyMjU4NTJaMCAxHjAc
+BgNVBAsMFVBvc3RncmVTUUwgdGVzdCBzdWl0ZTCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBAMpn5bP1/OfBQR/yvOkOBzxArE1j1YShVa2pcj896+CVDEgV
+N5Hluz7KHU/JYzNZCAHb5WAHuvXxKeoj4Ti5be1KsqO0mN1p+RMN7VlCpCpb0AWT
+z4z+I8TUhSZnmgghHvfW4RfcZMCcHq1vevVTDxR/cAbDPYpgBCD5F/SZMRyMDw5B
+7ILLmft0eqA1nCqavyqBCGZvx1ol8N5BfVdrDXp/rN5997khBWQRZ8g84FZyFZXf
+pwp57eu0OGQDzZFXoEL2t4OVld67K5jcclWVxHY6FGcHjCvyqs48PCPOR84anZwj
+GsqVOS6250/DWKBQO4KyhkTVf0AW/ICGSMOKkAkCAwEAAaMYMBYwFAYDVR0RBA0w
+C4IJMTkyLjAuMi4xMA0GCSqGSIb3DQEBCwUAA4IBAQDIAAH0WJKEpbPN0QihN6SF
+UA5WL4ixsBACo9OIAGkSnKeOeVEG5vvgOna0hjQcOcgtI1oCDLhULcjCuwxiIW6y
+QntOazyo0sooJr0hEm2WfipvIpQs6W9E1OTcs624BAVfkAwr6WT2VwoIAPcQD2nR
+tIQhSUIR9J7Q5WbzuQw7pthQhBfW/UPWw7vajel0r1dflbe0Cgp5WGNfp1kYy+Qf
+XW/YjkstZEP1KFm+TF58uxrIDmYboS8EerUREGQixijbI0AfXjShxtiyS63rbdpo
+3C0BPj9Yx2VtWi4U0qoef/iLJxJBCLvE/97+duPdKx0AkkOWA9VuenkWLp797UM8
+-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/server-ip-in-dnsname.key b/src/test/ssl/ssl/server-ip-in-dnsname.key
new file mode 100644
index 0000000000..ba319b001e
--- /dev/null
+++ b/src/test/ssl/ssl/server-ip-in-dnsname.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAymfls/X858FBH/K86Q4HPECsTWPVhKFVralyPz3r4JUMSBU3
+keW7PsodT8ljM1kIAdvlYAe69fEp6iPhOLlt7Uqyo7SY3Wn5Ew3tWUKkKlvQBZPP
+jP4jxNSFJmeaCCEe99bhF9xkwJwerW969VMPFH9wBsM9imAEIPkX9JkxHIwPDkHs
+gsuZ+3R6oDWcKpq/KoEIZm/HWiXw3kF9V2sNen+s3n33uSEFZBFnyDzgVnIVld+n
+Cnnt67Q4ZAPNkVegQva3g5WV3rsrmNxyVZXEdjoUZweMK/Kqzjw8I85HzhqdnCMa
+ypU5LrbnT8NYoFA7grKGRNV/QBb8gIZIw4qQCQIDAQABAoIBAA2kPP4JCTeRddMy
+Z/sJIAG2liZNITnkKcMflXyfrsMfKIm/LFSf+CO+OYWEHDR8vqZpbKcxPi+PRnTq
+YCaTkM4aZ7nS1S6vEsNu/90xOaFFONr3YFivVDfS3vp8pwv/N3gaumcCSqQUoZis
+18urAmwuPp2mEQK/f+e9AhlRLdcvlqDyKm+zMrVixK77Hj5JiEkh3rfZ3onHHKGE
+B7T2XRRqnZ4FCN9qLH2pMGUknZ4MGC9SlCyoerXFodb4DhKWQhJDRLjb8qP96r/E
+FGSg5WUiAERU/OgODoqZNTeIwIDB/f9NK45dEY3Hw6BsSFfU2VChrlNoVlzFUx2k
+yaH5Y4ECgYEA8rht3crh3GTy0jBJjNqB2iul8fkG/uiaiSvERWT/+KZnmV1+JGAW
+h2/wvd5apagOJjqKY0bCHMei/qYF9r4yJnkIy4qNper3QUz7TMCjsWduCm8S834A
+Z+Vwi3RBGJiQQH9Dfexko5sDjo+w5g4RsH52INCeReInNdxHOv06jZECgYEA1XrR
+QNwZlxHt3H93YKmKDZXikqW12Cuq6RSwf5VVdeuzV+pUN+/JaSgEuYsBilW7Q5p2
+gPROi0l8/eUPsBJb+dh1BcGzSjI2Kkzf66QOTG83S7tCPwQhwJUAylFuADvURjPQ
+qvqNjbQUomdm2QjBzyWtiFbolqxBgM3dnE6R/vkCgYBYGqQexx83LhmKPGbmTwal
+mARzkg59BxfZRN7IxcG4k0a1v98i+xISdYqwkP7cdOU18Tf8k1mwsrKytrcheqaf
+mn2bzJ5gJKs9s+DgWmjQ45dpCCqb4hfpnro8lKVwdSifkNKB6gYZ8RHYdMYkq+S1
+6SGeBbv95/qNrXjZq8POUQKBgHyaDwD4dsdCY79LdvYofrenQHOv3Q+rjTo2JT6S
+fysww6EQ2M89WiXSgc96Xw/LMl4nDfv+nMmXvyjCRgHS9XRC7yrJAEjSPeM6s4fq
+XZ4nW/ML/YKiesDZN3jfRoFEaoX/QFBLpcuLzG9uQw1ymwy5RSxK7b7kE+eGQU82
+XOihAoGBAI3xvT9fG3jRsSuw/8OQBlmDUFZcT0fRPRZ3pg8XlSreAam4b607d2WY
+u/bBHIclG3CLJ2EFqBtxl9AQeM0OTweF0KmV3dbtdBmaTbnhbK8/NLYnl5+aosEJ
+YrFKD8k8z6z+mYQs+7bAnfRa53TjfC7f24BpgEQyEfKL2fa3PF+J
+-----END RSA PRIVATE KEY-----
diff --git a/src/test/ssl/sslfiles.mk b/src/test/ssl/sslfiles.mk
index f9be5ffdba..d6a3870079 100644
--- a/src/test/ssl/sslfiles.mk
+++ b/src/test/ssl/sslfiles.mk
@@ -27,6 +27,7 @@ SERVERS := server-cn-and-alt-names \
server-ip-cn-only \
server-ip-cn-and-alt-names \
server-ip-cn-and-dns-alt-names \
+ server-ip-in-dnsname \
server-single-alt-name \
server-multiple-alt-names \
server-ip-alt-names \
diff --git a/src/test/ssl/t/001_ssltests.pl b/src/test/ssl/t/001_ssltests.pl
index 6c73c0f9ea..07e5b71d8c 100644
--- a/src/test/ssl/t/001_ssltests.pl
+++ b/src/test/ssl/t/001_ssltests.pl
@@ -266,6 +266,13 @@ $node->connect_fails(
qr/\Qserver certificate for "192.0.2.1" does not match host name "192.000.002.001"\E/
);
+# Similarly, we'll also match an IP address in a dNSName SAN. (This is
+# long-standing behavior.)
+switch_server_cert($node, 'server-ip-in-dnsname');
+
+$node->connect_ok("$common_connstr host=192.0.2.1",
+ "IP address in a dNSName");
+
# Test Subject Alternative Names.
switch_server_cert($node, 'server-multiple-alt-names');