| From: | Magnus Hagander <magnus(at)hagander(dot)net> |
|---|---|
| To: | Asia <asia123321(at)op(dot)pl> |
| Cc: | pgsql-general(at)postgresql(dot)org |
| Subject: | Re: Universal certificate for verify-full ssl connection |
| Date: | 2011-05-31 10:46:52 |
| Message-ID: | BANLkTi=NycV4HjgS7EC5UwogG5kAZHV_Vg@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On Tue, May 31, 2011 at 12:44, Asia <asia123321(at)op(dot)pl> wrote:
>
>
> W dniu 2011-05-31 11:09:10 użytkownik Magnus Hagander <magnus(at)hagander(dot)net> napisał:
>> On Tue, May 31, 2011 at 10:06, Craig Ringer <craig(at)postnewspapers(dot)com(dot)au> wrote:
>> > On 31/05/11 15:40, Asia wrote:
>> >
>> >> Would you please advise what I am doing wrong? Or maybe there is other way to generate wildcard certificate ? Or maybe this is a possible bug?
>> >
>> > I wouldn't be surprised if libpq didn't support wildcard certificates at
>> > all. I doubt there's ever been any demand for them.
>>
>> It certainly does, and it's an important feature.
>>
>> However, it's not intended to be used with IPs, it's intended to be
>> used with hostnames. The wildcard pattern has to start with "*."
>> (including the dot) to be considered. Thus a simple '*' in the
>> wildcard will not work, and anything starting with '*.' will never
>> match all IPs.
>>
>> --
>> Magnus Hagander
>> Me: http://www.hagander.net/
>> Work: http://www.redpill-linpro.com/
>>
>> --
>
> Thank you for your reply. Please have a look at the documentation below:
>
> http://www.postgresql.org/docs/9.0/interactive/libpq-ssl.html
>
> I clearly states:
>
> "In verify-full mode, the cn (Common Name) attribute of the certificate is matched against the host name. If the cn attribute starts with an asterisk (*), it will be treated as a wildcard, and will match all characters except a dot (.). This means the certificate will not match subdomains. If the connection is made using an IP address instead of a host name, the IP address will be matched (without doing any DNS lookups)."
Yes. Note that the IP address comment comes *after* the discussion of
the wildcard one - the wildcards only work with hostnames.
> It seems that some day someone wanted it to work like I need.
>
> Btw I have also tried *.*.*.* since it is stated that * does not match subdomains and it still did not work. It is really important to have the universal certificate to be able to match several IPs.
No, we only match a single wildcard in a pattern.
--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Cédric Villemain | 2011-05-31 11:12:18 | Re: Shared Buffer Size |
| Previous Message | Pavel Stehule | 2011-05-31 10:38:23 | Re: trigger - dynamic WHERE clause |