On 08/25/2014 01:07 PM, Andres Freund wrote:
On 2014-08-25 13:02:50 +0300, Heikki Linnakangas wrote:
But actually, I wonder if we should delegate the whole hostname matching to
OpenSSL? There's a function called X509_check_host for that, although it's
new in OpenSSL 1.1.0 so we'd need to add a configure test for that and keep
the current code to handle older versions.


Given that we're about to add support for other SSL implementations I'm
not sure that that's a good idea. IIRC there exist quite a bit of
different interpretations about what denotes a valid cert between the
libraries.

Really? That sounds scary. I can imagine that some libraries support more complicated stuff like Internationalized Domain Names, while others don't, but as long as they all behave the same with the basic stuff, I think that's acceptable.

Doesn't sound fun to me.

As long as just this patch is concerned, I agree it's easier to just implement it ourselves, but if we want to start implementing more complicated rules, then I'd rather not get into that business at all, and let the SSL library vendor deal with the bugs and CVEs.

I guess we'll go ahead with this patch for now, but keep this in mind if someone wants to complicate the rules further in the future.

- Heikki



--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Reply via email to