Re: implement subject alternative names support for SSL connections
| От | Alexey Klyukin |
|---|---|
| Тема | Re: implement subject alternative names support for SSL connections |
| Дата | |
| Msg-id | CAAS3tyLzcVin-A2po3oUWSjwGTv_BBfeGQ6+XSdVfDdTAXRfiQ@mail.gmail.com обсуждение исходный текст |
| Ответ на | Re: implement subject alternative names support for SSL connections (Heikki Linnakangas <hlinnakangas@vmware.com>) |
| Ответы |
Re: implement subject alternative names support for SSL connections
|
| Список | pgsql-hackers |
On Fri, Sep 12, 2014 at 4:20 PM, Heikki Linnakangas <hlinnakangas@vmware.com> wrote: >> Hmm. If that's what the browsers do, I think we should also err on the >> side of caution here. Ignoring the CN is highly unlikely to cause anyone >> a problem; a CA worth its salt should not issue a certificate with a CN >> that's not also listed in the SAN section. But if you have such a >> certificate anyway for some reason, it shouldn't be too difficult to get >> a new certificate. Certificates expire every 1-3 years anyway, so there >> must be a procedure to renew them anyway. > > > Committed, with that change, ie. the CN is not checked if SANs are present. > > Thanks for bearing through all these iterations! Great news! Thank you very much for devoting your time and energy to the review and providing such a useful feedback! On the CN thing, I don't have particularly strong arguments for either of the possible behaviors, so sticking to RFC makes sense here Sincerely, -- Alexey Klyukin
В списке pgsql-hackers по дате отправления: