On Mon, Aug 25, 2014 at 12:33 PM, Heikki Linnakangas < hlinnakan...@vmware.com> wrote:
> On 08/25/2014 01:07 PM, Andres Freund wrote: > >> On 2014-08-25 13:02:50 +0300, Heikki Linnakangas wrote: >> >>> But actually, I wonder if we should delegate the whole hostname matching >>> to >>> OpenSSL? There's a function called X509_check_host for that, although >>> it's >>> new in OpenSSL 1.1.0 so we'd need to add a configure test for that and >>> keep >>> the current code to handle older versions. >>> >> >> Given that we're about to add support for other SSL implementations I'm >> not sure that that's a good idea. IIRC there exist quite a bit of >> different interpretations about what denotes a valid cert between the >> libraries. >> > > > As long as just this patch is concerned, I agree it's easier to just > implement it ourselves, but if we want to start implementing more > complicated rules, then I'd rather not get into that business at all, and > let the SSL library vendor deal with the bugs and CVEs. > Sounds reasonable. > > I guess we'll go ahead with this patch for now, but keep this in mind if > someone wants to complicate the rules further in the future. +1 -- Regards, Alexey Klyukin