From 58e70cf9fb42c1ad60b8ba730fd129f2ce6fa332 Mon Sep 17 00:00:00 2001 From: Heikki Linnakangas Date: Mon, 15 Sep 2014 16:14:24 +0300 Subject: [PATCH] Follow the RFCs more closely in libpq server certificate hostname check. The RFCs say that the CN must not be checked if a subjectAltName extension of type dNSName is present. IOW, if subjectAltName extension is present, but there are no dNSNames, we can still check the CN. Alexey Klyukin --- src/interfaces/libpq/fe-secure-openssl.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 98d02b6b634..78aa46de2f3 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -626,12 +626,13 @@ verify_peer_name_matches_certificate(PGconn *conn) sk_GENERAL_NAME_free(peer_san); } /* - * If there is no subjectAltName extension, check the Common Name. + * If there is no subjectAltName extension of type dNSName, check the + * Common Name. * - * (Per RFC 2818 and RFC 6125, if the subjectAltName extension is present, - * the CN must be ignored.) + * (Per RFC 2818 and RFC 6125, if the subjectAltName extension of type + * dNSName is present, the CN must be ignored.) */ - else + if (names_examined == 0) { X509_NAME *subject_name;