Re: [PATCH] Accept IP addresses in server certificate SANs

From: Kyotaro Horiguchi <horikyota(dot)ntt(at)gmail(dot)com>
To: pchampion(at)vmware(dot)com
Cc: pgsql-hackers(at)postgresql(dot)org
Subject: Re: [PATCH] Accept IP addresses in server certificate SANs
Date: 2021-12-17 07:54:30
Message-ID: 20211217.165430.655740392355518222.horikyota.ntt@gmail.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

Sorry for the silly mistake.

At Fri, 17 Dec 2021 15:40:10 +0900 (JST), Kyotaro Horiguchi <horikyota(dot)ntt(at)gmail(dot)com> wrote in
> > NSS departs slightly from the spec and will additionally try to match
> > an IP address against the CN, but only if there are no iPAddresses in
> > the SAN. It roughly matches the logic for DNS names.
>
> OpenSSL seems different. X509_check_host() tries SAN then CN iff SAN
> doesn't exist. X509_check_ip() tries SAN and completely ignores
> iPAdress and CN.

OpenSSL seems different. X509_check_host() tries SAN then CN iff SAN
doesn't exist. X509_check_ip() tries iPAddress and completely ignores
CN.

regards.

--
Kyotaro Horiguchi
NTT Open Source Software Center

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Greg Stark 2021-12-17 08:06:50 Re: pg_dump versus ancient server versions
Previous Message Kyotaro Horiguchi 2021-12-17 07:50:58 Re: Allow escape in application_name