From:
"Robert Haas" <robertmhaas(at)gmail(dot)com>
To:
"Magnus Hagander" <magnus(at)hagander(dot)net>
Cc:
"Peter Eisentraut" <peter_e(at)gmx(dot)net>, pgsql-hackers(at)postgresql(dot)org, "Tom Lane" <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Subject:
Re: Re: [COMMITTERS] pgsql: Add support for matching wildcard server certificates to the new
Date:
2008-12-01 15:02:39
Message-ID:
603c8f070812010702k7c3d57ean92408e7f4fad30d7@mail.gmail.com (view raw or flat )
Thread:
2008-11-24 09:15:16 from mha(at)postgresql(dot)org (Magnus Hagander)
2008-11-24 13:37:30 from Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
2008-11-24 13:43:09 from Magnus Hagander <magnus(at)hagander(dot)net>
2008-11-24 13:49:55 from Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
2008-11-24 13:55:03 from Magnus Hagander <magnus(at)hagander(dot)net>
2008-11-24 14:40:00 from Peter Eisentraut <peter_e(at)gmx(dot)net>
2008-11-24 14:55:17 from Magnus Hagander <magnus(at)hagander(dot)net>
2008-11-24 21:26:41 from Peter Eisentraut <peter_e(at)gmx(dot)net>
2008-11-24 21:30:14 from Peter Eisentraut <peter_e(at)gmx(dot)net>
2008-11-28 15:13:54 from Magnus Hagander <magnus(at)hagander(dot)net>
2008-11-28 16:56:35 from Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
2008-11-28 18:33:54 from Magnus Hagander <magnus(at)hagander(dot)net>
2008-11-28 18:48:38 from Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
2008-11-29 13:43:23 from Magnus Hagander <magnus(at)hagander(dot)net>
2008-11-28 22:08:42 from Peter Eisentraut <peter_e(at)gmx(dot)net>
2008-11-29 13:49:35 from Magnus Hagander <magnus(at)hagander(dot)net>
2008-11-29 15:56:42 from "Robert Haas" <robertmhaas(at)gmail(dot)com>
2008-12-01 14:49:38 from Magnus Hagander <magnus(at)hagander(dot)net>
2008-12-01 15:02:39 from "Robert Haas" <robertmhaas(at)gmail(dot)com>
2008-12-01 15:05:50 from Magnus Hagander <magnus(at)hagander(dot)net>
2008-12-01 15:34:46 from "Robert Haas" <robertmhaas(at)gmail(dot)com>
2008-12-01 15:31:46 from Magnus Hagander <magnus(at)hagander(dot)net>
2008-12-01 15:38:53 from "Robert Haas" <robertmhaas(at)gmail(dot)com>
2008-12-01 15:41:16 from Magnus Hagander <magnus(at)hagander(dot)net>
2008-12-01 17:10:15 from Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
2008-12-01 17:18:41 from Magnus Hagander <magnus(at)hagander(dot)net>
2008-12-01 17:28:32 from Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
2008-11-24 15:11:25 from Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Lists:
pgsql-committers pgsql-hackers
>> 2. I can't see any possible way that matching a single component could
>> create security holes that would be eliminated by matching multiple
>> components, but I'm more skeptical about the other direction. What
>> about the old DNS hack where you create a DNS record for
>> example.com.sample.com and hijack connections intended for example.com
>> made by people whose default DNS suffix is sample.com? There may be
>> reason to believe this isn't a problem, but matching less seems like
>> it can't possibly be a bad thing.
>
> Right, but that's all about being careful not to give out certs like
> "*.postgres.*".
Errrr...no. The point is that if you've hacked sample.com's DNS
server, you might have a cert for *.sample.com, but you might NOT have
a cert for example.com .
...Robert
In response to
Responses
pgsql-hackers by date
Next :From: David E. WheelerDate: 2008-12-01 15:02:59Subject : Re: New to_timestamp implementation is pretty strictPrevious :From : David E. WheelerDate : 2008-12-01 14:56:52Subject : Re: New to_timestamp implementation is pretty strict
pgsql-committers by date
Next :From: Magnus HaganderDate: 2008-12-01 15:05:50Subject : Re: Re: [COMMITTERS] pgsql: Add support for matching wildcard
server certificates to the newPrevious :From : Magnus HaganderDate : 2008-12-01 14:49:38Subject : Re: Re: [COMMITTERS] pgsql: Add support for matching wildcard
server certificates to the new
