Tom Lane wrote:
Magnus Hagander <[EMAIL PROTECTED]> writes:
(I don't believe OpenSSL does this verification either, because AFAICS
OpenSSL only ever sees the IP address of the server, and not the FQDN)
In common usages libpq doesn't have the FQDN of the server either.
To impose such a requirement, we'd have to forbid naming the server
by IP address or via a domain-search-path abbreviation.
regards, tom lane
Well, right now, SSL does nothing for you, so you have to do something.
It's OK, SSL isn't doing a lot for a lot of people, but this is the
beginning of us calling people out on that.
You can handle IP address and domain-search-path by having an option for
explicitly declaring the subject name to be expected at the other side
of the SSL connection. In other words, sever the DNS/FQDN link, and
just explicitly say "however I reach that host over there, I expect
database.backend.com".
--Dan
--
Sent via pgsql-bugs mailing list (pgsql-bugs@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-bugs
