Follow the RFCs more closely in libpq server certificate hostname check.

The RFCs say that the CN must not be checked if a subjectAltName extension
of type dNSName is present. IOW, if subjectAltName extension is present,
but there are no dNSNames, we can still check the CN.

Alexey Klyukin

diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 98d02b6b6345da61141741d60549426bf6146f08..78aa46de2f3d5c4404ec4dcbf632c8fb74afba63 100644 (file)
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -626,12 +626,13 @@ verify_peer_name_matches_certificate(PGconn *conn)
                sk_GENERAL_NAME_free(peer_san);
        }
        /*
-        * If there is no subjectAltName extension, check the Common Name.
+        * If there is no subjectAltName extension of type dNSName, check the
+        * Common Name.
         *
-        * (Per RFC 2818 and RFC 6125, if the subjectAltName extension is present,
-        * the CN must be ignored.)
+        * (Per RFC 2818 and RFC 6125, if the subjectAltName extension of type
+        * dNSName is present, the CN must be ignored.)
         */
-       else
+       if (names_examined == 0)
        {
                X509_NAME  *subject_name;