BUG #5868: Client ignores X.509 subject alternative name

From: "Christopher Head" <chris2k01(at)hotmail(dot)com>
To: pgsql-bugs(at)postgresql(dot)org
Subject: BUG #5868: Client ignores X.509 subject alternative name
Date: 2011-02-07 08:44:03
Message-ID: 201102070844.p178i3LP073118@wwwmaster.postgresql.org
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-bugs


The following bug has been logged online:

Bug reference: 5868
Logged by: Christopher Head
Email address: chris2k01(at)hotmail(dot)com
PostgreSQL version: 9.0.1
Operating system: Linux amd64
Description: Client ignores X.509 subject alternative name
Details:

This is more of a wishlist/feature-request than an actual bug. The X.509v3
certificate standard allows an extension field called the "subject
alternative name". This field can contain a list of names that should be
considered as legitimate names for the entity to which the certificate
belongs. Specifically, if an alternative name is of the form
"DNS:some.domain.name.tld", then the certificate should be treated as though
legitimate for the domain "some.domain.name.tld", just as if that domain
were in the common name field of the subject distinguished name. Right now,
the psql client (probably libpq) doesn't look at this certificate extension;
rather, it only checks if the subject distinguished name common name field
matches the requested hostname. It would be nice if the alternative names
could be checked also (modern Web browsers all seem to check the extension
fine when using the certificate for HTTPS). What this allows is for the
common name to have a human-readable name instead of a hostname, with the
hostnames stuffed into the alternative names list. While this is pretty much
irrelevant for PostgreSQL connections, when sharing a certificate with a Web
server, browsers will show the human-readable distinguished name, which is
nice. Therefore, it would be preferable for the PostgreSQL clients to also
honour this field.

Browse pgsql-bugs by date

  From Date Subject
Next Message David Schmitt 2011-02-08 07:19:37 BUG #5869: postgresql corrupts unquoted non-ascii chars in column aliases
Previous Message Richard Neill 2011-02-07 06:01:04 BUG #5867: wish: plpgsql print table for debug