| From: | Magnus Hagander <magnus(at)hagander(dot)net> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | Dan Kaminsky <dan(at)doxpara(dot)com>, Gregory Stark <stark(at)enterprisedb(dot)com>, Alvaro Herrera <alvherre(at)commandprompt(dot)com>, Bruce Momjian <bruce(at)momjian(dot)us>, pgsql-bugs(at)postgresql(dot)org |
| Subject: | Re: BUG #4340: SECURITY: Is SSL Doing Anything? |
| Date: | 2008-08-19 19:01:36 |
| Message-ID: | 48AB1890.8020304@hagander.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
Tom Lane wrote:
> Magnus Hagander <magnus(at)hagander(dot)net> writes:
>> (I don't believe OpenSSL does this verification either, because AFAICS
>> OpenSSL only ever sees the IP address of the server, and not the FQDN)
>
> In common usages libpq doesn't have the FQDN of the server either.
> To impose such a requirement, we'd have to forbid naming the server
> by IP address or via a domain-search-path abbreviation.
You could issue a certificate to an IP address, so you could match the
textual representation of the IP in that case.
Or you could require the FQDN for a SSL connection when this
verification is enabled. A similar restriction already exists for
Kerberos, for example.
//Magnus
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Dan Kaminsky | 2008-08-19 19:13:16 | Re: BUG #4340: SECURITY: Is SSL Doing Anything? |
| Previous Message | Tom Lane | 2008-08-19 18:57:55 | Re: BUG #4340: SECURITY: Is SSL Doing Anything? |