diff options
| author | Tom Lane <tgl@sss.pgh.pa.us> | 2015-12-15 16:57:23 -0500 | 
|---|---|---|
| committer | Tom Lane <tgl@sss.pgh.pa.us> | 2015-12-15 16:57:23 -0500 | 
| commit | 3ac806ccb5207810c7fe947ee44de4d242d42f97 (patch) | |
| tree | 0af5f681b9bec2ab641581e1a04d4571be44032d | |
| parent | ddd78136764133b72bfe9102e60bbd49fa22b414 (diff) | |
Document use of Subject Alternative Names in SSL server certificates.
Commit acd08d764 did not bother with updating the documentation.
| -rw-r--r-- | doc/src/sgml/libpq.sgml | 10 | 
1 files changed, 6 insertions, 4 deletions
| diff --git a/doc/src/sgml/libpq.sgml b/doc/src/sgml/libpq.sgml index 79047b37611..9e21e3d6fd3 100644 --- a/doc/src/sgml/libpq.sgml +++ b/doc/src/sgml/libpq.sgml @@ -7252,10 +7252,12 @@ ldap://ldap.acme.com/cn=dbserver,cn=hosts?pgconnectinfo?base?(objectclass=*)    </para>    <para> -   In <literal>verify-full</> mode, the <literal>cn</> (Common Name) attribute -   of the certificate is matched against the host name. If the <literal>cn</> -   attribute starts with an asterisk (<literal>*</>), it will be treated as -   a wildcard, and will match all characters <emphasis>except</> a dot +   In <literal>verify-full</> mode, the host name is matched against the +   certificate's Subject Alternative Name attribute(s), or against the +   Common Name attribute if no Subject Alternative Name of type dNSName is +   present.  If the certificate's name attribute starts with an asterisk +   (<literal>*</>), the asterisk will be treated as +   a wildcard, which will match all characters <emphasis>except</> a dot     (<literal>.</>). This means the certificate will not match subdomains.     If the connection is made using an IP address instead of a host name, the     IP address will be matched (without doing any DNS lookups). | 
