diff options
| author | Peter Eisentraut <peter@eisentraut.org> | 2022-04-01 15:41:44 +0200 |
|---|---|---|
| committer | Peter Eisentraut <peter@eisentraut.org> | 2022-04-01 15:51:23 +0200 |
| commit | c1932e542863f0f646f005b3492452acc57c7e66 (patch) | |
| tree | 5b5b5235d68749d804f8fdf0cb7d47a7fd3fd032 /src/include | |
| parent | fa25bebb827a8cc4d62f15d564b0093f40b9d44d (diff) | |
libpq: Allow IP address SANs in server certificates
The current implementation supports exactly one IP address in a server
certificate's Common Name, which is brittle (the strings must match
exactly). This patch adds support for IPv4 and IPv6 addresses in a
server's Subject Alternative Names.
Per discussion on-list:
- If the client's expected host is an IP address, we allow fallback to
the Subject Common Name if an iPAddress SAN is not present, even if
a dNSName is present. This matches the behavior of NSS, in
violation of the relevant RFCs.
- We also, counter-intuitively, match IP addresses embedded in dNSName
SANs. From inspection this appears to have been the behavior since
the SAN matching feature was introduced in acd08d76.
- Unlike NSS, we don't map IPv4 to IPv6 addresses, or vice-versa.
Author: Jacob Champion <pchampion@vmware.com>
Co-authored-by: Kyotaro Horiguchi <horikyota.ntt@gmail.com>
Co-authored-by: Daniel Gustafsson <daniel@yesql.se>
Discussion: https://www.postgresql.org/message-id/flat/9f5f20974cd3a4091a788cf7f00ab663d5fcdffe.camel@vmware.com
Diffstat (limited to 'src/include')
| -rw-r--r-- | src/include/pg_config.h.in | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/src/include/pg_config.h.in b/src/include/pg_config.h.in index 9e2ca83993c..13a2049df4b 100644 --- a/src/include/pg_config.h.in +++ b/src/include/pg_config.h.in @@ -283,6 +283,9 @@ /* Define to 1 if you have the `inet_aton' function. */ #undef HAVE_INET_ATON +/* Define to 1 if you have the `inet_pton' function. */ +#undef HAVE_INET_PTON + /* Define to 1 if the system has the type `int64'. */ #undef HAVE_INT64 |