Re: BUG #5559: Full SSL verification fails when hostaddr provided

"Christopher Head" <chris2k01@hotmail.com> writes:
> When establishing a connection to a PostgreSQL server using a connection
> string, there are two parameters that can be provided to specify where to
> connect to: "host" and "hostaddr". If both are provided, the documentation
> states that "hostaddr" is used to actually establish the socket (thus
> avoiding
> a potentially-expensive DNS lookup), while "host" is used for doing some
> Kerberos stuff.

> It makes sense that in the case of an SSL connection with
> "sslmode=verify-full" (check that the server's certificate is signed by a
> trusted CA and has the
> correct hostname), if both parameters are provided, that "host" also be used
> for certificate checking. Unfortunately, as per line 536 of the file
> fe-secure.c in the PostgreSQL sources, if hostaddr is specified, SSL full
> verification just plain fails without trying at all. I suspect this line
> should be "if (!conn->pghost)" instead of "if (conn->pghostaddr)".

That's really a definitional change, but it seems like a reasonable one
to me.  Magnus, what do you think?

            regards, tom lane