Обсуждение: [JDBC] Supporting Subject Alternative Names for SSL connections on pgJDBC
[JDBC] Supporting Subject Alternative Names for SSL connections on pgJDBC
От
"Higuchi, Daisuke"
Дата:
Hello I re-issue old discussions about "Subject Alternative Names (SANs)". PostgreSQL can check SANs now [1], so pgJDBC should support this feature too, I think. Seeing past activity about SANs, I found the patch is contributed by Bruno [2] but no committed. I want to know developer's opinion about supporting SANs on pgJDBC. This feature is useful when failover is occurred. If failover is occurred, a single DNS name may point to different hosts after failover. Certainly we can use wildcards in the server common name, but this does not work if hosts name are complexed. On other words, common name "*.db.example.com" only works for names like "master.db.example.com", "slave.db.example.com", but not for the "example.com" and "db-master.example.com" and "db-slave.example.com" or other more complex naming schemas. I attached the initial patch (does not include unit test now), this is extracted from the patch created by Bruno and fixeda little. [1] https://www.postgresql.org/docs/current/static/libpq-ssl.html [2] https://www.postgresql.org/message-id/ja1a2v%24p2e%241%40dough.gmane.org Regards, Daisuke, Higuchi
Вложения
Hi
Thanks for the patch! I will look at this.
On 3 February 2017 at 00:47, Higuchi, Daisuke <higuchi.daisuke@jp.fujitsu.com> wrote:
Hello
I re-issue old discussions about "Subject Alternative Names (SANs)".
PostgreSQL can check SANs now [1], so pgJDBC should support this feature too, I think.
Seeing past activity about SANs, I found the patch is contributed by Bruno [2] but no committed.
I want to know developer's opinion about supporting SANs on pgJDBC.
This feature is useful when failover is occurred.
If failover is occurred, a single DNS name may point to different hosts after failover.
Certainly we can use wildcards in the server common name, but this does not work if hosts name are complexed.
On other words, common name "*.db.example.com" only works for names like "master.db.example.com", "slave.db.example.com",
but not for the "example.com" and "db-master.example.com" and "db-slave.example.com" or other more complex naming schemas.
I attached the initial patch (does not include unit test now), this is extracted from the patch created by Bruno and fixed a little.
[1] https://www.postgresql.org/docs/current/static/libpq-ssl. html
[2] https://www.postgresql.org/message-id/ja1a2v%24p2e%241% 40dough.gmane.org
Regards,
Daisuke, Higuchi
--
Sent via pgsql-jdbc mailing list (pgsql-jdbc@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-jdbc
Hi
Thanks for the patch! I will look at this.
On 3 February 2017 at 00:47, Higuchi, Daisuke <higuchi.daisuke@jp.fujitsu.com> wrote:
Hello
I re-issue old discussions about "Subject Alternative Names (SANs)".
PostgreSQL can check SANs now [1], so pgJDBC should support this feature too, I think.
Seeing past activity about SANs, I found the patch is contributed by Bruno [2] but no committed.
I want to know developer's opinion about supporting SANs on pgJDBC.
This feature is useful when failover is occurred.
If failover is occurred, a single DNS name may point to different hosts after failover.
Certainly we can use wildcards in the server common name, but this does not work if hosts name are complexed.
On other words, common name "*.db.example.com" only works for names like "master.db.example.com", "slave.db.example.com",
but not for the "example.com" and "db-master.example.com" and "db-slave.example.com" or other more complex naming schemas.
I attached the initial patch (does not include unit test now), this is extracted from the patch created by Bruno and fixed a little.
[1] https://www.postgresql.org/docs/current/static/libpq-ssl. html
[2] https://www.postgresql.org/message-id/ja1a2v%24p2e%241% 40dough.gmane.org
Regards,
Daisuke, Higuchi
--
Sent via pgsql-jdbc mailing list (pgsql-jdbc@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-jdbc