Tom Lane wrote: > Magnus Hagander <[EMAIL PROTECTED]> writes: >> (I don't believe OpenSSL does this verification either, because AFAICS >> OpenSSL only ever sees the IP address of the server, and not the FQDN) > > In common usages libpq doesn't have the FQDN of the server either. > To impose such a requirement, we'd have to forbid naming the server > by IP address or via a domain-search-path abbreviation.
You could issue a certificate to an IP address, so you could match the textual representation of the IP in that case. Or you could require the FQDN for a SSL connection when this verification is enabled. A similar restriction already exists for Kerberos, for example. //Magnus -- Sent via pgsql-bugs mailing list (pgsql-bugs@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-bugs
