| From: | Peter Eisentraut <peter(at)eisentraut(dot)org> |
|---|---|
| To: | pgsql-committers(at)lists(dot)postgresql(dot)org |
| Subject: | pgsql: libpq: Allow IP address SANs in server certificates |
| Date: | 2022-04-01 14:02:22 |
| Message-ID: | E1naHr4-000JOY-FK@gemulon.postgresql.org |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-committers |
libpq: Allow IP address SANs in server certificates
The current implementation supports exactly one IP address in a server
certificate's Common Name, which is brittle (the strings must match
exactly). This patch adds support for IPv4 and IPv6 addresses in a
server's Subject Alternative Names.
Per discussion on-list:
- If the client's expected host is an IP address, we allow fallback to
the Subject Common Name if an iPAddress SAN is not present, even if
a dNSName is present. This matches the behavior of NSS, in
violation of the relevant RFCs.
- We also, counter-intuitively, match IP addresses embedded in dNSName
SANs. From inspection this appears to have been the behavior since
the SAN matching feature was introduced in acd08d76.
- Unlike NSS, we don't map IPv4 to IPv6 addresses, or vice-versa.
Author: Jacob Champion <pchampion(at)vmware(dot)com>
Co-authored-by: Kyotaro Horiguchi <horikyota(dot)ntt(at)gmail(dot)com>
Co-authored-by: Daniel Gustafsson <daniel(at)yesql(dot)se>
Discussion: https://www.postgresql.org/message-id/flat/9f5f20974cd3a4091a788cf7f00ab663d5fcdffe(dot)camel(at)vmware(dot)com
Branch
------
master
Details
-------
https://git.postgresql.org/pg/commitdiff/c1932e542863f0f646f005b3492452acc57c7e66
Modified Files
--------------
configure | 2 +-
configure.ac | 1 +
doc/src/sgml/libpq.sgml | 21 ++-
src/include/pg_config.h.in | 3 +
src/interfaces/libpq/fe-secure-common.c | 104 +++++++++++++++
src/interfaces/libpq/fe-secure-common.h | 4 +
src/interfaces/libpq/fe-secure-openssl.c | 143 +++++++++++++++++++--
.../ssl/conf/server-cn-and-ip-alt-names.config | 24 ++++
src/test/ssl/conf/server-ip-alt-names.config | 19 +++
.../ssl/conf/server-ip-cn-and-alt-names.config | 21 +++
.../ssl/conf/server-ip-cn-and-dns-alt-names.config | 21 +++
src/test/ssl/ssl/server-cn-and-ip-alt-names.crt | 20 +++
src/test/ssl/ssl/server-cn-and-ip-alt-names.key | 27 ++++
src/test/ssl/ssl/server-ip-alt-names.crt | 19 +++
src/test/ssl/ssl/server-ip-alt-names.key | 27 ++++
src/test/ssl/ssl/server-ip-cn-and-alt-names.crt | 19 +++
src/test/ssl/ssl/server-ip-cn-and-alt-names.key | 27 ++++
.../ssl/ssl/server-ip-cn-and-dns-alt-names.crt | 20 +++
.../ssl/ssl/server-ip-cn-and-dns-alt-names.key | 27 ++++
src/test/ssl/sslfiles.mk | 4 +
src/test/ssl/t/001_ssltests.pl | 98 ++++++++++++++
src/tools/msvc/Solution.pm | 1 +
22 files changed, 635 insertions(+), 17 deletions(-)
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2022-04-01 15:05:57 | pgsql: Set minimum required version of zstd as 1.4.0. |
| Previous Message | Robert Haas | 2022-04-01 12:58:09 | pgsql: docs: Changing column type doesn't always require an index rebui |