Re: implement subject alternative names support for SSL connections

From: Heikki Linnakangas <hlinnakangas(at)vmware(dot)com>
To: Alexey Klyukin <alexk(at)hintbits(dot)com>
Cc: PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: implement subject alternative names support for SSL connections
Date: 2014-08-25 10:02:50
Message-ID: 53FB09CA.7010804@vmware.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

On 08/24/2014 03:11 PM, Alexey Klyukin wrote:
> On Wed, Aug 20, 2014 at 11:53 AM, Heikki Linnakangas <
> hlinnakangas(at)vmware(dot)com> wrote:
>
>> On 07/25/2014 07:10 PM, Alexey Klyukin wrote:
>>
>>> Greetings,
>>>
>>> I'd like to propose a patch for checking subject alternative names entry
>>> in
>>> the SSL certificate for DNS names during SSL authentication.
>>>
>>
>> Thanks! I just ran into this missing feature last week, while working on
>> my SSL test suite. So +1 for having the feature.
>>
>> This patch needs to be rebased over current master branch, thanks to my
>> refactoring that moved all OpenSSL-specific stuff to be-secure-openssl.c.
>
>
> The patch is rebased against fe-secure-openssl.c (that's where
> verify_peer_name_matches_certificate appeared in the master branch), I've
> changed the condition in the for loop to be less confusing (thanks to
> comments from Magnus and Tom), making an explicit break once a match is
> detected.

The patch doesn't seem to support wildcards in alternative names. Is
that on purpose?

It would be good to add a little helper function that does the
NULL-check, straight comparison, and wildcard check, for a single name.
And then use that for the Common Name and all the Alternatives. That'll
ensure that all the same rules apply whether the name is the Common Name
or an Alternative (assuming that the rules are supposed to be the same;
I don't know if that's true).

But actually, I wonder if we should delegate the whole hostname matching
to OpenSSL? There's a function called X509_check_host for that, although
it's new in OpenSSL 1.1.0 so we'd need to add a configure test for that
and keep the current code to handle older versions.

- Heikki

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Andres Freund 2014-08-25 10:07:41 Re: implement subject alternative names support for SSL connections
Previous Message Heikki Linnakangas 2014-08-25 09:37:14 Re: Extended Prefetching using Asynchronous IO - proposal and patch