Re: [PATCH] Accept IP addresses in server certificate SANs
Jacob Champion <pchampion@vmware.com>
From: Jacob Champion <pchampion@vmware.com>
To: "andrew@dunslane.net" <andrew@dunslane.net>, "pgsql-hackers@postgresql.org" <pgsql-hackers@postgresql.org>
Date: 2021-12-16T19:14:58Z
Lists: pgsql-hackers
On Thu, 2021-12-16 at 10:50 -0500, Andrew Dunstan wrote: > Good job, this is certainly going to be useful. Thanks! > I don't think we should fall back on the CN. It would seem quite odd to > do so for IP addresses but not for DNS names. So there's at least one compatibility concern with disabling the fallback, in that there could be existing users that are happily using a certificate with an IP address CN, and libpq is just ignoring any iPAddress SANs that the certificate has. Once libpq becomes aware of those, it will stop accepting the CN and the certificate might stop working. Personally I think that's acceptable, but it would probably warrant a release note or some such. I will work on implementing behavior that's modeled off of the NSS matching logic (see my reply to Horiguchi-san), which will at least make it more logically consistent, and we can see what that looks like? Thanks for the review! --Jacob
Commits
-
libpq: Allow IP address SANs in server certificates
- c1932e542863 15.0 landed
-
Add SSL tests for IP addresses in certificates
- af9e18049550 15.0 landed
-
Make JSON path numeric literals more correct
- e26114c817b6 15.0 cited