Re: [PATCH] Accept IP addresses in server certificate SANs
Kyotaro Horiguchi <horikyota.ntt@gmail.com>
From: Kyotaro Horiguchi <horikyota.ntt@gmail.com>
To: pchampion@vmware.com
Cc: pgsql-hackers@postgresql.org
Date: 2021-12-17T07:54:30Z
Lists: pgsql-hackers
Sorry for the silly mistake. At Fri, 17 Dec 2021 15:40:10 +0900 (JST), Kyotaro Horiguchi <horikyota.ntt@gmail.com> wrote in > > NSS departs slightly from the spec and will additionally try to match > > an IP address against the CN, but only if there are no iPAddresses in > > the SAN. It roughly matches the logic for DNS names. > > OpenSSL seems different. X509_check_host() tries SAN then CN iff SAN > doesn't exist. X509_check_ip() tries SAN and completely ignores > iPAdress and CN. OpenSSL seems different. X509_check_host() tries SAN then CN iff SAN doesn't exist. X509_check_ip() tries iPAddress and completely ignores CN. regards. -- Kyotaro Horiguchi NTT Open Source Software Center
Commits
-
libpq: Allow IP address SANs in server certificates
- c1932e542863 15.0 landed
-
Add SSL tests for IP addresses in certificates
- af9e18049550 15.0 landed
-
Make JSON path numeric literals more correct
- e26114c817b6 15.0 cited