Re: [PATCH] Accept IP addresses in server certificate SANs

From: Jacob Champion <pchampion(at)vmware(dot)com>
To: "andrew(at)dunslane(dot)net" <andrew(at)dunslane(dot)net>, "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: [PATCH] Accept IP addresses in server certificate SANs
Date: 2021-12-16 19:14:58
Message-ID: 30c204679e113d7938c38c3c3bc0a88521553695.camel@vmware.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

On Thu, 2021-12-16 at 10:50 -0500, Andrew Dunstan wrote:
> Good job, this is certainly going to be useful.

Thanks!

> I don't think we should fall back on the CN. It would seem quite odd to
> do so for IP addresses but not for DNS names.

So there's at least one compatibility concern with disabling the
fallback, in that there could be existing users that are happily using
a certificate with an IP address CN, and libpq is just ignoring any
iPAddress SANs that the certificate has. Once libpq becomes aware of
those, it will stop accepting the CN and the certificate might stop
working.

Personally I think that's acceptable, but it would probably warrant a
release note or some such.

I will work on implementing behavior that's modeled off of the NSS
matching logic (see my reply to Horiguchi-san), which will at least
make it more logically consistent, and we can see what that looks like?

Thanks for the review!
--Jacob

In response to

Browse pgsql-hackers by date

  From Date Subject
Next Message Jacob Champion 2021-12-16 19:56:25 Re: Support for NSS as a libpq TLS backend
Previous Message Jacob Champion 2021-12-16 18:44:54 Re: [PATCH] Accept IP addresses in server certificate SANs