| From: | Jacob Champion <pchampion(at)vmware(dot)com> |
|---|---|
| To: | "daniel(at)yesql(dot)se" <daniel(at)yesql(dot)se>, "andrew(at)dunslane(dot)net" <andrew(at)dunslane(dot)net> |
| Cc: | "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Allow matching whole DN from a client certificate |
| Date: | 2021-03-02 22:03:14 |
| Message-ID: | 7872c57a8c49106962a0dac468f175257402f559.camel@vmware.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Fri, 2021-02-26 at 15:40 -0500, Andrew Dunstan wrote:
> I think the thing that's principally outstanding w.r.t. this patch is
> what format we should use to extract the DN.
That and the warning label for sharp edges.
> Should we use RFC2253,
> which reverses the field order, as has been suggested upthread and is in
> the latest patch? I'm slightly worried that it might be a POLA
> violation.
All I can provide is the hindsight from httpd. [1] is the thread that
gave rise to its LegacyDNStringFormat.
Since RFC 2253 isn't a canonical encoding scheme, and we've already
established that different TLS implementations do things slightly
differently even when providing RFC-compliant output, maybe it doesn't
matter in the end: to get true compatibility, we need to implement a DN
matching scheme rather than checking string equality. But using RFC2253
for version 1 of the feature at least means that the *simplest* cases
are the same across backends, since I doubt the NSS implementation is
going to try to recreate OpenSSL's custom format.
--Jacob
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Andrew Dunstan | 2021-03-02 22:04:16 | Re: buildfarm windows checks / tap tests on windows |
| Previous Message | Daniel Gustafsson | 2021-03-02 21:51:12 | Re: pg_upgrade version checking questions |