Re: implement subject alternative names support for SSL connections
| От | Alexey Klyukin |
|---|---|
| Тема | Re: implement subject alternative names support for SSL connections |
| Дата | |
| Msg-id | CAAS3ty+xU4rEqUFXiqfyq5wNY8k=sme28DvyfVgjOkae1LE+Ew@mail.gmail.com обсуждение исходный текст |
| Ответ на | Re: implement subject alternative names support for SSL connections (Heikki Linnakangas <hlinnakangas@vmware.com>) |
| Ответы |
Re: implement subject alternative names support for SSL
connections
|
| Список | pgsql-hackers |
On Wed, Aug 20, 2014 at 11:53 AM, Heikki Linnakangas <hlinnakangas@vmware.com> wrote:
On 07/25/2014 07:10 PM, Alexey Klyukin wrote:Thanks! I just ran into this missing feature last week, while working on my SSL test suite. So +1 for having the feature.Greetings,
I'd like to propose a patch for checking subject alternative names entry in
the SSL certificate for DNS names during SSL authentication.
This patch needs to be rebased over current master branch, thanks to my refactoring that moved all OpenSSL-specific stuff to be-secure-openssl.c.
The patch is rebased against fe-secure-openssl.c (that's where verify_peer_name_matches_certificate appeared in the master branch), I've changed the condition in the for loop to be less confusing (thanks to comments from Magnus and Tom), making an explicit break once a match is detected.
Note that It generates a lot of OpenSSL related warnings on my system (66 total) with clang, complaining about
$X is deprecated: first deprecated in OS X 10.7 [-Wdeprecated-declarations], but it does so for most other SSL functions, so I don't think it's a problem introduced by this patch.
Sincerely,
Alexey.
Вложения
В списке pgsql-hackers по дате отправления: