On Thu, Nov 24, 2016 at 4:38 PM, Andreas Karlsson <andr...@proxel.se> wrote: > As you can see, after the patch libpq will now look at hostaddr rather than > host when validating the server certificate because that is what is stored > in the first (and only) entry of conn->connhost, and therefore what PQhost() > return. > > To me it feels like the proper fix would be to make PQHost() return the > value of the host parameter rather than the hostaddr (maybe add a new field > in the pg_conn_host struct). But would be a behaviour change which might > break someones application. Thoughts?
I think that the blame here is on the original commit, 274bb2b3857cc987cfa21d14775cae9b0dababa5, which inadvertently changed the behavior of PQhost. Prior to that commit, even if "hostaddr" was used, PQhost would still return whatever value was associated with the "host" parameter, but now it ignores "host" and returns "hostaddr" instead. That's busted. I've pushed a trivial fix, and the SSL tests now pass for me. It might be that (as suggested downthread) we should consider supporting multiple IPs in the hostaddr string as well, but that requires some thought. For example, what happens if, for example, the host and hostaddr lists are of unequal length? Would we accept one host and >1 hostaddrs? Probably makes sense to just apply the host to every hostaddr. >1 host and 1 hostaddr? Probably doesn't make sense, but I guess you could argue for it. Equal length lists definitely make sense. -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
