Re: implement subject alternative names support for SSL connections

From: Alexey Klyukin <alexk(at)hintbits(dot)com>
To: Heikki Linnakangas <hlinnakangas(at)vmware(dot)com>
Cc: Andres Freund <andres(at)2ndquadrant(dot)com>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: implement subject alternative names support for SSL connections
Date: 2014-08-28 16:33:17
Message-ID: CAAS3ty+SpJrDo6=N2isnxapYsDWOGc+n0+gVDaHjk2Sq2tswoQ@mail.gmail.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

On Mon, Aug 25, 2014 at 12:33 PM, Heikki Linnakangas <
hlinnakangas(at)vmware(dot)com> wrote:

> On 08/25/2014 01:07 PM, Andres Freund wrote:
>
>> On 2014-08-25 13:02:50 +0300, Heikki Linnakangas wrote:
>>
>>> But actually, I wonder if we should delegate the whole hostname matching
>>> to
>>> OpenSSL? There's a function called X509_check_host for that, although
>>> it's
>>> new in OpenSSL 1.1.0 so we'd need to add a configure test for that and
>>> keep
>>> the current code to handle older versions.
>>>
>>
>> Given that we're about to add support for other SSL implementations I'm
>> not sure that that's a good idea. IIRC there exist quite a bit of
>> different interpretations about what denotes a valid cert between the
>> libraries.
>>
>
>
> As long as just this patch is concerned, I agree it's easier to just
> implement it ourselves, but if we want to start implementing more
> complicated rules, then I'd rather not get into that business at all, and
> let the SSL library vendor deal with the bugs and CVEs.
>

Sounds reasonable.

>
> I guess we'll go ahead with this patch for now, but keep this in mind if
> someone wants to complicate the rules further in the future.

+1

--
Regards,
Alexey Klyukin

In response to

Browse pgsql-hackers by date

  From Date Subject
Next Message Robert Haas 2014-08-28 16:35:07 Re: Switch pg_basebackup to use -X stream instead of -X fetch by default?
Previous Message Josh Berkus 2014-08-28 16:32:17 Re: Need Multixact Freezing Docs