| From: | Alexey Klyukin <alexk(at)hintbits(dot)com> |
|---|---|
| To: | Heikki Linnakangas <hlinnakangas(at)vmware(dot)com> |
| Cc: | Andres Freund <andres(at)2ndquadrant(dot)com>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: implement subject alternative names support for SSL connections |
| Date: | 2014-08-28 16:33:17 |
| Message-ID: | CAAS3ty+SpJrDo6=N2isnxapYsDWOGc+n0+gVDaHjk2Sq2tswoQ@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Mon, Aug 25, 2014 at 12:33 PM, Heikki Linnakangas <
hlinnakangas(at)vmware(dot)com> wrote:
> On 08/25/2014 01:07 PM, Andres Freund wrote:
>
>> On 2014-08-25 13:02:50 +0300, Heikki Linnakangas wrote:
>>
>>> But actually, I wonder if we should delegate the whole hostname matching
>>> to
>>> OpenSSL? There's a function called X509_check_host for that, although
>>> it's
>>> new in OpenSSL 1.1.0 so we'd need to add a configure test for that and
>>> keep
>>> the current code to handle older versions.
>>>
>>
>> Given that we're about to add support for other SSL implementations I'm
>> not sure that that's a good idea. IIRC there exist quite a bit of
>> different interpretations about what denotes a valid cert between the
>> libraries.
>>
>
>
> As long as just this patch is concerned, I agree it's easier to just
> implement it ourselves, but if we want to start implementing more
> complicated rules, then I'd rather not get into that business at all, and
> let the SSL library vendor deal with the bugs and CVEs.
>
Sounds reasonable.
>
> I guess we'll go ahead with this patch for now, but keep this in mind if
> someone wants to complicate the rules further in the future.
+1
--
Regards,
Alexey Klyukin
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Robert Haas | 2014-08-28 16:35:07 | Re: Switch pg_basebackup to use -X stream instead of -X fetch by default? |
| Previous Message | Josh Berkus | 2014-08-28 16:32:17 | Re: Need Multixact Freezing Docs |