projects / postgresql.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: fa25beb) | patch
libpq: Allow IP address SANs in server certificates
authorPeter Eisentraut <peter@eisentraut.org>
Fri, 1 Apr 2022 13:41:44 +0000 (15:41 +0200)
committerPeter Eisentraut <peter@eisentraut.org>
Fri, 1 Apr 2022 13:51:23 +0000 (15:51 +0200)
commitc1932e542863f0f646f005b3492452acc57c7e66
tree5b5b5235d68749d804f8fdf0cb7d47a7fd3fd032tree
parentfa25bebb827a8cc4d62f15d564b0093f40b9d44dcommit | diff
libpq: Allow IP address SANs in server certificates

The current implementation supports exactly one IP address in a server
certificate's Common Name, which is brittle (the strings must match
exactly).  This patch adds support for IPv4 and IPv6 addresses in a
server's Subject Alternative Names.

Per discussion on-list:

- If the client's expected host is an IP address, we allow fallback to
  the Subject Common Name if an iPAddress SAN is not present, even if
  a dNSName is present.  This matches the behavior of NSS, in
  violation of the relevant RFCs.

- We also, counter-intuitively, match IP addresses embedded in dNSName
  SANs.  From inspection this appears to have been the behavior since
  the SAN matching feature was introduced in acd08d76.

- Unlike NSS, we don't map IPv4 to IPv6 addresses, or vice-versa.

Author: Jacob Champion <pchampion@vmware.com>
Co-authored-by: Kyotaro Horiguchi <horikyota.ntt@gmail.com>
Co-authored-by: Daniel Gustafsson <daniel@yesql.se>
Discussion: https://www.postgresql.org/message-id/flat/9f5f20974cd3a4091a788cf7f00ab663d5fcdffe.camel@vmware.com
22 files changed:
configure diff | blob | blame | history
configure.ac diff | blob | blame | history
doc/src/sgml/libpq.sgml diff | blob | blame | history
src/include/pg_config.h.in diff | blob | blame | history
src/interfaces/libpq/fe-secure-common.c diff | blob | blame | history
src/interfaces/libpq/fe-secure-common.h diff | blob | blame | history
src/interfaces/libpq/fe-secure-openssl.c diff | blob | blame | history
src/test/ssl/conf/server-cn-and-ip-alt-names.config [new file with mode: 0644] blob
src/test/ssl/conf/server-ip-alt-names.config [new file with mode: 0644] blob
src/test/ssl/conf/server-ip-cn-and-alt-names.config [new file with mode: 0644] blob
src/test/ssl/conf/server-ip-cn-and-dns-alt-names.config [new file with mode: 0644] blob
src/test/ssl/ssl/server-cn-and-ip-alt-names.crt [new file with mode: 0644] blob
src/test/ssl/ssl/server-cn-and-ip-alt-names.key [new file with mode: 0644] blob
src/test/ssl/ssl/server-ip-alt-names.crt [new file with mode: 0644] blob
src/test/ssl/ssl/server-ip-alt-names.key [new file with mode: 0644] blob
src/test/ssl/ssl/server-ip-cn-and-alt-names.crt [new file with mode: 0644] blob
src/test/ssl/ssl/server-ip-cn-and-alt-names.key [new file with mode: 0644] blob
src/test/ssl/ssl/server-ip-cn-and-dns-alt-names.crt [new file with mode: 0644] blob
src/test/ssl/ssl/server-ip-cn-and-dns-alt-names.key [new file with mode: 0644] blob
src/test/ssl/sslfiles.mk diff | blob | blame | history
src/test/ssl/t/001_ssltests.pl diff | blob | blame | history
src/tools/msvc/Solution.pm diff | blob | blame | history
This is the main PostgreSQL git repository.