| From: | Peter Eisentraut <peter_e(at)gmx(dot)net> |
|---|---|
| To: | Magnus Hagander <magnus(at)hagander(dot)net> |
| Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, PG Hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: [COMMITTERS] pgsql: Add support for matching wildcard server certificates to the new |
| Date: | 2008-11-24 14:40:00 |
| Message-ID: | 492ABCC0.6020609@gmx.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-committers pgsql-hackers |
Magnus Hagander wrote:
> Tom Lane wrote:
>> Magnus Hagander <magnus(at)hagander(dot)net> writes:
>>> ... The other option is to have
>>> autoconf substitute our own local version of fnmatch when this happens.
>>> How would one go about to do that in autoconf asks the autoconf n00b?
>> I'd try adding a little test program that tries to compile
>>
>> #include <fnmatch.h>
>> ...
>> n = fnmatch("foo","bar", FNM_CASEFOLD);
>>
>> and see if that succeeds.
>>
>> For extra credit, incorporate that into a new PGAC_FUNC_FNMATCH macro,
>> but I think you'd need to get Peter's help on the details --- I'm just
>> a duffer on autoconf myself.
>
> Yeah, likely that someone who knows this will make it happen a lot faster.
>
> Peter, got time to help me out with this? Thanks!
Well, FNM_CASEFOLD is not POSIX, and Autoconf thinks it's a GNU
extension, which has obviously crept into other systems. So you'd need
to use AC_FUNC_FNMATCH_GNU, but that also requires you to use the GNU
replacement implementation. (A bit stupid, but then again, if you are
trying to use GNU features, whose replacement implementation are you
going to use.)
If you google for FNM_CASEFOLD, you will get about a million hits of
other open-source projects having run into this same issue.
Then again, having looked into the libpq source now, is using fnmatch()
even appropriate here? The matching rules for https are in RFC 2818:
Matching is performed using the matching rules specified by
[RFC2459]. If more than one identity of a given type is present in
the certificate (e.g., more than one dNSName name, a match in any one
of the set is considered acceptable.) Names may contain the wildcard
character * which is considered to match any single domain name
component or component fragment. E.g., *.a.com matches foo.a.com but
not bar.foo.a.com. f*.com matches foo.com but not bar.com.
Using fnmatch(), however, will also treat ? and [] special and it will
not follow the "any single domain name component" rule.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Magnus Hagander | 2008-11-24 14:55:17 | Re: [COMMITTERS] pgsql: Add support for matching wildcard server certificates to the new |
| Previous Message | Magnus Hagander | 2008-11-24 14:09:48 | Re: [COMMITTERS] pgsql: Explicitly bind gettext() to the UTF8 locale when in use. |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2008-11-24 14:40:30 | Re: Visibility map, partial vacuums |
| Previous Message | Tom Lane | 2008-11-24 14:37:59 | Re: Visibility map, partial vacuums |