On 09/15/2014 01:44 PM, Alexey Klyukin wrote:
Committed, with that change, ie. the CN is not checked if SANs are present.Actually, I disagree with the way the patch ignores the CN. Currently, it skips the CN unconditionally if the SubjectAltName section is present. But what RFC 6125 says is: "If a subjectAltName extension of type dNSName is present, that MUST be used as the identity. Otherwise, the (most specific) Common Name field in the Subject field of the certificate MUST be used." This means that we have to check that at least one dNSName resource is present before rejecting to examine the CN. Attached is a one-liner (excluding comments) that fixes this.
Ok, good catch. Fixed. - Heikki -- Sent via pgsql-hackers mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
