| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | "Christopher Head" <chris2k01(at)hotmail(dot)com> |
| Cc: | pgsql-bugs(at)postgresql(dot)org, Magnus Hagander <magnus(at)hagander(dot)net> |
| Subject: | Re: BUG #5559: Full SSL verification fails when hostaddr provided |
| Date: | 2010-07-13 22:09:27 |
| Message-ID: | 18252.1279058967@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
"Christopher Head" <chris2k01(at)hotmail(dot)com> writes:
> When establishing a connection to a PostgreSQL server using a connection
> string, there are two parameters that can be provided to specify where to
> connect to: "host" and "hostaddr". If both are provided, the documentation
> states that "hostaddr" is used to actually establish the socket (thus
> avoiding
> a potentially-expensive DNS lookup), while "host" is used for doing some
> Kerberos stuff.
> It makes sense that in the case of an SSL connection with
> "sslmode=verify-full" (check that the server's certificate is signed by a
> trusted CA and has the
> correct hostname), if both parameters are provided, that "host" also be used
> for certificate checking. Unfortunately, as per line 536 of the file
> fe-secure.c in the PostgreSQL sources, if hostaddr is specified, SSL full
> verification just plain fails without trying at all. I suspect this line
> should be "if (!conn->pghost)" instead of "if (conn->pghostaddr)".
That's really a definitional change, but it seems like a reasonable one
to me. Magnus, what do you think?
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2010-07-13 22:16:03 | Re: BUG #5561: Tsearch across schemas |
| Previous Message | Heikki Linnakangas | 2010-07-13 19:55:55 | Re: Fwd: Re: BUG #5556: "cannot drop active portal" and "ERRORDATA_STACK_SIZE exceeded" lead to server crash |