| From: | Sergei Agalakov <Sergei(dot)Agalakov(at)getmyle(dot)com> |
|---|---|
| To: | Heikki Linnakangas <hlinnaka(at)iki(dot)fi>, pgsql-bugs(at)postgresql(dot)org |
| Subject: | It seems to be a documentation bug to me then |
| Date: | 2016-05-09 20:29:50 |
| Message-ID: | 37243100-aa81-1e38-ec77-c33e837e0c66@getmyle.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
To resolve this confusion all we need is to add something like to
documentation
http://www.postgresql.org/docs/9.5/static/libpq-ssl.html
Currently PostgreSQL supports only Subject Alternative Name attribute(s)
of type dNSName, and IP type isn't supported.
and remove
If the connection is made using an IP address instead of a host name,
the IP address will be matched (without doing any DNS lookups).
The last one seems to be incorrect, if the SAN IP attributes are ignored.
Am I correct?
Sergei Agalakov
> On 09/05/16 20:08, sergei(dot)agalakov(at)getmyle(dot)com wrote:
> > CentOS 7, OpenSSL 1.0.2h, Postgres 9.5.2
> > 1. Created server certificate signed by local CA with three Subject
> > Alternative Name values
> > $ openssl x509 -in server.crt -text -noout
> > ...
> > X509v3 Subject Alternative Name:
> > DNS:myle-db001a-small.c.myle-gce-proj-01.internal, IP
> > Address:162.222.177.29, IP Address:10.240.0.3
> > ...
> > 2. Created and copied root.crt for local CA certificate
> > 3. Switched SSL mode to verify-full
> > $export PGSSLMODE=verify-full
> > 4. $psql -h 10.240.0.3 -U postgres
> > psql: server certificate for "myle-db001a-small.c.myle-gce-proj-01.internal"
> > does not match host name "10.240.0.3"
> > According to E.3.3.1.4. SSL in
> >http://www.postgresql.org/docs/9.5/static/release-9-5.html
> > PG 9.5 should check all Subject Alternative Names to match in the
> > certificate. The same implies in
> >http://www.postgresql.org/docs/9.5/static/libpq-ssl.html
> > "In verify-full mode, the host name is matched against the certificate's
> > Subject Alternative Name attribute(s), or against the Common Name attribute
> > if no Subject Alternative Name of type dNSName is present."
> > An expected result was a SSL connection because one of SAN attributes
> > matched host name. Instead a connection was refused.
>
> PostgreSQL only pays attention to "DNS" SAN attributes, the IP addresses
> are ignored. It would be a nice feature if it did, but that hasn't been
> implemented.
>
> - Heikki
>
| From | Date | Subject | |
|---|---|---|---|
| Next Message | digoal | 2016-05-10 13:12:17 | BUG #14131: BUG, schema owner can drop otheruser's object in it's schema |
| Previous Message | Heikki Linnakangas | 2016-05-09 17:20:54 | Re: BUG #14130: SSL certifiate's Subject Alternative Name isn't check correctly |