Re: [PATCH] Accept IP addresses in server certificate SANs

At Fri, 18 Mar 2022 16:38:57 +0900 (JST), Kyotaro Horiguchi <horikyota(dot)ntt(at)gmail(dot)com> wrote in
> At Thu, 17 Mar 2022 21:55:07 +0000, Jacob Champion <pchampion(at)vmware(dot)com> wrot> Thanks! .. and some nitpicks..(Sorry)
>
> fe-secure-common.c doesn't need netinet/in.h.
>
>
> +++ b/src/include/utils/inet.h
> ..
> +#include "common/inet-common.h"
>
> I'm not sure about the project policy on #include practice, but I
> think it is the common practice not to include headers that are not
> required by the file itself. In this case, fe-secure-common.h itself
> doesn't need the include. Instead, fe-secure-openssl.c and
> fe-secure-common.c needs the include.

I noticed that this doesn't contain doc changes.

https://www.postgresql.org/docs/current/libpq-ssl.html

> In verify-full mode, the host name is matched against the
> certificate's Subject Alternative Name attribute(s), or against the
> Common Name attribute if no Subject Alternative Name of type dNSName
> is present. If the certificate's name attribute starts with an
> asterisk (*), the asterisk will be treated as a wildcard, which will
> match all characters except a dot (.). This means the certificate will
> not match subdomains. If the connection is made using an IP address
> instead of a host name, the IP address will be matched (without doing
> any DNS lookups).

This refers to dNSName, so we should revise this so that it describes
the new behavior.

regards.

--
Kyotaro Horiguchi
NTT Open Source Software Center