Skip site navigation (1) Skip section navigation (2)

Re: BUG #5559: Full SSL verification fails when hostaddr provided

From: Magnus Hagander <magnus(at)hagander(dot)net>
To: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc: Christopher Head <chris2k01(at)hotmail(dot)com>, pgsql-bugs <pgsql-bugs(at)postgresql(dot)org>
Subject: Re: BUG #5559: Full SSL verification fails when hostaddr provided
Date: 2010-07-14 07:02:12
Message-ID: AANLkTikEU91MMvOXTrXkf7TGF8KZPRoBNh7csEeSy6ag@mail.gmail.com (view raw or flat)
Thread:
Lists: pgsql-bugs
On Wed, Jul 14, 2010 at 00:09, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> "Christopher Head" <chris2k01(at)hotmail(dot)com> writes:
>> When establishing a connection to a PostgreSQL server using a connection
>> string, there are two parameters that can be provided to specify where to
>> connect to: "host" and "hostaddr". If both are provided, the documentation
>> states that "hostaddr" is used to actually establish the socket (thus
>> avoiding
>> a potentially-expensive DNS lookup), while "host" is used for doing some
>> Kerberos stuff.
>
>> It makes sense that in the case of an SSL connection with
>> "sslmode=verify-full" (check that the server's certificate is signed by a
>> trusted CA and has the
>> correct hostname), if both parameters are provided, that "host" also be used
>> for certificate checking. Unfortunately, as per line 536 of the file
>> fe-secure.c in the PostgreSQL sources, if hostaddr is specified, SSL full
>> verification just plain fails without trying at all. I suspect this line
>> should be "if (!conn->pghost)" instead of "if (conn->pghostaddr)".
>
> That's really a definitional change, but it seems like a reasonable one
> to me.  Magnus, what do you think?

Yeah, I think it is, but I haven't had the time to look into the code
yet to see if I agree with the fix as well. Hope to get there soon.


-- 
 Magnus Hagander
 Me: http://www.hagander.net/
 Work: http://www.redpill-linpro.com/

In response to

Responses

pgsql-bugs by date

Next:From: Tom LaneDate: 2010-07-14 16:02:18
Subject: Re: BUG #5559: Full SSL verification fails when hostaddr provided
Previous:From: Tom LaneDate: 2010-07-14 01:11:30
Subject: Re: BUG #5557: Problema com Bytea

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group