| From: | Alexey Klyukin <alexk(at)hintbits(dot)com> |
|---|---|
| To: | Heikki Linnakangas <hlinnakangas(at)vmware(dot)com> |
| Cc: | PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: implement subject alternative names support for SSL connections |
| Date: | 2014-09-15 08:23:08 |
| Message-ID: | CAAS3tyLzcVin-A2po3oUWSjwGTv_BBfeGQ6+XSdVfDdTAXRfiQ@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Fri, Sep 12, 2014 at 4:20 PM, Heikki Linnakangas
<hlinnakangas(at)vmware(dot)com> wrote:
>> Hmm. If that's what the browsers do, I think we should also err on the
>> side of caution here. Ignoring the CN is highly unlikely to cause anyone
>> a problem; a CA worth its salt should not issue a certificate with a CN
>> that's not also listed in the SAN section. But if you have such a
>> certificate anyway for some reason, it shouldn't be too difficult to get
>> a new certificate. Certificates expire every 1-3 years anyway, so there
>> must be a procedure to renew them anyway.
>
>
> Committed, with that change, ie. the CN is not checked if SANs are present.
>
> Thanks for bearing through all these iterations!
Great news! Thank you very much for devoting your time and energy to
the review and providing such a useful feedback!
On the CN thing, I don't have particularly strong arguments for either
of the possible behaviors, so sticking to RFC makes sense here
Sincerely,
--
Alexey Klyukin
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Heikki Linnakangas | 2014-09-15 10:34:14 | Re: pgbench throttling latency limit |
| Previous Message | Heikki Linnakangas | 2014-09-15 07:11:57 | Re: orangutan seizes up during isolation-check |