Re: BUG #5559: Full SSL verification fails when hostaddr provided

Christopher Head wrote:
> On Wed, 14 Jul 2010 18:35:55 -0400
> Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
>
> > Bruce Momjian <bruce(at)momjian(dot)us> writes:
> > > Do the docs need any more updating?
> >
> > No doubt, but it's a bit premature to consider that while we're still
> > arguing whether the code needs to change more.
> >
> > regards, tom lane
> >
>
> Sorry to bother everyone, but AFAICT this discussion kind of
> disappeared. Did I perhaps get dropped from CC? I'm interested to know
> what the final resolution of this is.
>
> My own thought would be:
> "host" means the thing you intended to connect to: a unique identifier
> for the server, probably (usually) the hostname, and also the thing
> that goes in a certificate. Should (probably) never be omitted.
>
> "hostaddr" means the thing you actually send your TCP SYN packet to:
> maybe an IP address if you want to save a DNS lookup, maybe even
> "localhost" if you want to use an SSH tunnel (or even some other
> hostname if you have an even stranger tunnel set up), but purely a
> "network-layer" thing about *how to get to* the server, and not a
> "user-trust-layer" thing about *who the server is*. If omitted,
> defaults to being equal to "host".
>
> I don't know if that's what was intended, but that's what I thought
> they would mean.

I have adjusted the libpq docs to be clearer about 'hostaddr' by using
an itemized list and rewording; attached and applied.

I am not sure what else needs to be done, and I don't think anyone else
knows either, so unless I hear otherwise, I will consider this item
closed. Perhaps the clearer docs will highlight a new open item.

--
Bruce Momjian <bruce(at)momjian(dot)us> http://momjian.us
EnterpriseDB http://enterprisedb.com

+ It's impossible for everything to be true. +