mirror/postgresql
2
0
Fork 0
mirror of https://git.postgresql.org/git/postgresql.git synced 2025-01-06 15:24:56 +08:00
Code Issues Packages Projects Releases Wiki Activity

Follow the RFCs more closely in libpq server certificate hostname check.

Browse Source 
The RFCs say that the CN must not be checked if a subjectAltName extension
of type dNSName is present. IOW, if subjectAltName extension is present,
but there are no dNSNames, we can still check the CN.

Alexey Klyukin
This commit is contained in:
Heikki Linnakangas 2014-09-15 16:14:24 +03:00
parent 2df465e696
commit 58e70cf9fb
1 changed files with 5 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
src/interfaces/libpq/fe-secure-openssl.c
View File

@ -626,12 +626,13 @@ verify_peer_name_matches_certificate(PGconn *conn)
sk_GENERAL_NAME_free(peer_san);
}
/*
* If there is no subjectAltName extension, check the Common Name.
* If there is no subjectAltName extension of type dNSName, check the
* Common Name.
*
* (Per RFC 2818 and RFC 6125, if the subjectAltName extension is present,
* the CN must be ignored.)
* (Per RFC 2818 and RFC 6125, if the subjectAltName extension of type
* dNSName is present, the CN must be ignored.)
*/
else
if (names_examined == 0)
{
X509_NAME *subject_name;