On 2014-08-25 13:02:50 +0300, Heikki Linnakangas wrote: > But actually, I wonder if we should delegate the whole hostname matching to > OpenSSL? There's a function called X509_check_host for that, although it's > new in OpenSSL 1.1.0 so we'd need to add a configure test for that and keep > the current code to handle older versions.
Given that we're about to add support for other SSL implementations I'm not sure that that's a good idea. IIRC there exist quite a bit of different interpretations about what denotes a valid cert between the libraries. Doesn't sound fun to me. Greetings, Andres Freund -- Andres Freund http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Training & Services -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers