From c1932e542863f0f646f005b3492452acc57c7e66 Mon Sep 17 00:00:00 2001 From: Peter Eisentraut Date: Fri, 1 Apr 2022 15:41:44 +0200 Subject: libpq: Allow IP address SANs in server certificates The current implementation supports exactly one IP address in a server certificate's Common Name, which is brittle (the strings must match exactly). This patch adds support for IPv4 and IPv6 addresses in a server's Subject Alternative Names. Per discussion on-list: - If the client's expected host is an IP address, we allow fallback to the Subject Common Name if an iPAddress SAN is not present, even if a dNSName is present. This matches the behavior of NSS, in violation of the relevant RFCs. - We also, counter-intuitively, match IP addresses embedded in dNSName SANs. From inspection this appears to have been the behavior since the SAN matching feature was introduced in acd08d76. - Unlike NSS, we don't map IPv4 to IPv6 addresses, or vice-versa. Author: Jacob Champion Co-authored-by: Kyotaro Horiguchi Co-authored-by: Daniel Gustafsson Discussion: https://www.postgresql.org/message-id/flat/9f5f20974cd3a4091a788cf7f00ab663d5fcdffe.camel@vmware.com --- doc/src/sgml/libpq.sgml | 21 ++++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) (limited to 'doc/src/sgml') diff --git a/doc/src/sgml/libpq.sgml b/doc/src/sgml/libpq.sgml index 0b2a8720f04..1c20901c3c1 100644 --- a/doc/src/sgml/libpq.sgml +++ b/doc/src/sgml/libpq.sgml @@ -8356,16 +8356,31 @@ ldap://ldap.acme.com/cn=dbserver,cn=hosts?pgconnectinfo?base?(objectclass=*) In verify-full mode, the host name is matched against the - certificate's Subject Alternative Name attribute(s), or against the - Common Name attribute if no Subject Alternative Name of type dNSName is + certificate's Subject Alternative Name attribute(s) (SAN), or against the + Common Name attribute if no SAN of type dNSName is present. If the certificate's name attribute starts with an asterisk (*), the asterisk will be treated as a wildcard, which will match all characters except a dot (.). This means the certificate will not match subdomains. If the connection is made using an IP address instead of a host name, the - IP address will be matched (without doing any DNS lookups). + IP address will be matched (without doing any DNS lookups) against SANs of + type iPAddress or dNSName. If no + iPAddress SAN is present and no + matching dNSName SAN is present, the host IP address is + matched against the Common Name attribute. + + + For backward compatibility with earlier versions of PostgreSQL, the host + IP address is verified in a manner different + from RFC 6125. + The host IP address is always matched against dNSName + SANs as well as iPAddress SANs, and can be matched + against the Common Name attribute if no relevant SANs exist. + + + To allow server certificate verification, one or more root certificates must be placed in the file ~/.postgresql/root.crt -- cgit v1.2.3