Re: [PATCH] Accept IP addresses in server certificate SANs

Kyotaro Horiguchi <horikyota.ntt@gmail.com>

From: Kyotaro Horiguchi <horikyota.ntt@gmail.com>
To: pchampion@vmware.com
Cc: pgsql-hackers@postgresql.org
Date: 2021-12-17T07:54:30Z
Lists: pgsql-hackers
Sorry for the silly mistake.

At Fri, 17 Dec 2021 15:40:10 +0900 (JST), Kyotaro Horiguchi <horikyota.ntt@gmail.com> wrote in 
> > NSS departs slightly from the spec and will additionally try to match
> > an IP address against the CN, but only if there are no iPAddresses in
> > the SAN. It roughly matches the logic for DNS names.
> 
> OpenSSL seems different. X509_check_host() tries SAN then CN iff SAN
> doesn't exist.  X509_check_ip() tries SAN and completely ignores
> iPAdress and CN.

OpenSSL seems different. X509_check_host() tries SAN then CN iff SAN
doesn't exist.  X509_check_ip() tries iPAddress and completely ignores
CN.

regards.

-- 
Kyotaro Horiguchi
NTT Open Source Software Center



Commits

  1. libpq: Allow IP address SANs in server certificates

  2. Add SSL tests for IP addresses in certificates

  3. Make JSON path numeric literals more correct