| From: | Adrian Klaver <adrian(dot)klaver(at)aklaver(dot)com> |
|---|---|
| To: | harpagornis <shenlong(at)runbox(dot)com>, pgsql-general(at)postgresql(dot)org |
| Subject: | Re: SSL Certificates in Windows 7 & Postgres 9.3 |
| Date: | 2014-12-17 05:09:46 |
| Message-ID: | 5491101A.7000502@aklaver.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On 12/16/2014 08:56 PM, harpagornis wrote:
> To anyone following this thread, I would also like to point out the
> following, from Man 31.18.1.
>
> In verify-full mode, the cn (Common Name) attribute of the certificate is
> matched against the host name. If the cn attribute starts with an asterisk
> (*), it will be treated as a wildcard, and will match all characters except
> a dot (.). This means the certificate will not match subdomains. If the
> connection is made using an IP address instead of a host name, the IP
> address will be matched (without doing any DNS lookups).
> -----------------------------------------------------------------
> So it seems that when creating self-signed certificates for use in
> verify-full mode, the CN is not the user id, but instead, the host name, ie.
> 127.0.0.1, which is what I had.
That is true for the server certificate, but for the client certificate
you need the CN=username. Run through the below again:
http://www.howtoforge.com/postgresql-ssl-certificates
>
>
>
> --
> View this message in context: http://postgresql.nabble.com/SSL-Certificates-in-Windows-7-Postgres-9-3-tp5830749p5831037.html
> Sent from the PostgreSQL - general mailing list archive at Nabble.com.
>
>
--
Adrian Klaver
adrian(dot)klaver(at)aklaver(dot)com
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Ramesh T | 2014-12-17 05:12:11 | Re: pg_dump |
| Previous Message | harpagornis | 2014-12-17 04:56:39 | Re: SSL Certificates in Windows 7 & Postgres 9.3 |