On Mon, Aug 25, 2014 at 12:33 PM, Heikki Linnakangas <
hlinnakan...@vmware.com> wrote:

> On 08/25/2014 01:07 PM, Andres Freund wrote:
>> On 2014-08-25 13:02:50 +0300, Heikki Linnakangas wrote:
>>> But actually, I wonder if we should delegate the whole hostname matching
>>> to
>>> OpenSSL? There's a function called X509_check_host for that, although
>>> it's
>>> new in OpenSSL 1.1.0 so we'd need to add a configure test for that and
>>> keep
>>> the current code to handle older versions.
>> Given that we're about to add support for other SSL implementations I'm
>> not sure that that's a good idea. IIRC there exist quite a bit of
>> different interpretations about what denotes a valid cert between the
>> libraries.
> As long as just this patch is concerned, I agree it's easier to just
> implement it ourselves, but if we want to start implementing more
> complicated rules, then I'd rather not get into that business at all, and
> let the SSL library vendor deal with the bugs and CVEs.

Sounds reasonable.

> I guess we'll go ahead with this patch for now, but keep this in mind if
> someone wants to complicate the rules further in the future.


Alexey Klyukin

Reply via email to