postgres

mirror of https://github.com/zebrajr/postgres.git synced 2025-12-06 12:20:15 +01:00

History

Peter Eisentraut c1932e5428 libpq: Allow IP address SANs in server certificates The current implementation supports exactly one IP address in a server certificate's Common Name, which is brittle (the strings must match exactly). This patch adds support for IPv4 and IPv6 addresses in a server's Subject Alternative Names. Per discussion on-list: - If the client's expected host is an IP address, we allow fallback to the Subject Common Name if an iPAddress SAN is not present, even if a dNSName is present. This matches the behavior of NSS, in violation of the relevant RFCs. - We also, counter-intuitively, match IP addresses embedded in dNSName SANs. From inspection this appears to have been the behavior since the SAN matching feature was introduced in `acd08d76`. - Unlike NSS, we don't map IPv4 to IPv6 addresses, or vice-versa. Author: Jacob Champion <pchampion@vmware.com> Co-authored-by: Kyotaro Horiguchi <horikyota.ntt@gmail.com> Co-authored-by: Daniel Gustafsson <daniel@yesql.se> Discussion: https://www.postgresql.org/message-id/flat/9f5f20974cd3a4091a788cf7f00ab663d5fcdffe.camel@vmware.com		2022-04-01 15:51:23 +02:00
..
src	libpq: Allow IP address SANs in server certificates	2022-04-01 15:51:23 +02:00
KNOWN_BUGS
Makefile
MISSING_FEATURES
TODO