pgsql: libpq: Allow IP address SANs in server certificates
| От | Peter Eisentraut |
|---|---|
| Тема | pgsql: libpq: Allow IP address SANs in server certificates |
| Дата | |
| Msg-id | E1naHr4-000JOY-FK@gemulon.postgresql.org обсуждение исходный текст |
| Список | pgsql-committers |
libpq: Allow IP address SANs in server certificates The current implementation supports exactly one IP address in a server certificate's Common Name, which is brittle (the strings must match exactly). This patch adds support for IPv4 and IPv6 addresses in a server's Subject Alternative Names. Per discussion on-list: - If the client's expected host is an IP address, we allow fallback to the Subject Common Name if an iPAddress SAN is not present, even if a dNSName is present. This matches the behavior of NSS, in violation of the relevant RFCs. - We also, counter-intuitively, match IP addresses embedded in dNSName SANs. From inspection this appears to have been the behavior since the SAN matching feature was introduced in acd08d76. - Unlike NSS, we don't map IPv4 to IPv6 addresses, or vice-versa. Author: Jacob Champion <pchampion@vmware.com> Co-authored-by: Kyotaro Horiguchi <horikyota.ntt@gmail.com> Co-authored-by: Daniel Gustafsson <daniel@yesql.se> Discussion: https://www.postgresql.org/message-id/flat/9f5f20974cd3a4091a788cf7f00ab663d5fcdffe.camel@vmware.com Branch ------ master Details ------- https://git.postgresql.org/pg/commitdiff/c1932e542863f0f646f005b3492452acc57c7e66 Modified Files -------------- configure | 2 +- configure.ac | 1 + doc/src/sgml/libpq.sgml | 21 ++- src/include/pg_config.h.in | 3 + src/interfaces/libpq/fe-secure-common.c | 104 +++++++++++++++ src/interfaces/libpq/fe-secure-common.h | 4 + src/interfaces/libpq/fe-secure-openssl.c | 143 +++++++++++++++++++-- .../ssl/conf/server-cn-and-ip-alt-names.config | 24 ++++ src/test/ssl/conf/server-ip-alt-names.config | 19 +++ .../ssl/conf/server-ip-cn-and-alt-names.config | 21 +++ .../ssl/conf/server-ip-cn-and-dns-alt-names.config | 21 +++ src/test/ssl/ssl/server-cn-and-ip-alt-names.crt | 20 +++ src/test/ssl/ssl/server-cn-and-ip-alt-names.key | 27 ++++ src/test/ssl/ssl/server-ip-alt-names.crt | 19 +++ src/test/ssl/ssl/server-ip-alt-names.key | 27 ++++ src/test/ssl/ssl/server-ip-cn-and-alt-names.crt | 19 +++ src/test/ssl/ssl/server-ip-cn-and-alt-names.key | 27 ++++ .../ssl/ssl/server-ip-cn-and-dns-alt-names.crt | 20 +++ .../ssl/ssl/server-ip-cn-and-dns-alt-names.key | 27 ++++ src/test/ssl/sslfiles.mk | 4 + src/test/ssl/t/001_ssltests.pl | 98 ++++++++++++++ src/tools/msvc/Solution.pm | 1 + 22 files changed, 635 insertions(+), 17 deletions(-)
В списке pgsql-committers по дате отправления: