Re: BUG #5559: Full SSL verification fails when hostaddr provided

From: Christopher Head <chris2k01(at)hotmail(dot)com>
To: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc: Bruce Momjian <bruce(at)momjian(dot)us>, Stephen Frost <sfrost(at)snowman(dot)net>, Magnus Hagander <magnus(at)hagander(dot)net>, pgsql-bugs <pgsql-bugs(at)postgresql(dot)org>
Subject: Re: BUG #5559: Full SSL verification fails when hostaddr provided
Date: 2010-12-19 22:13:52
Message-ID: BLU0-SMTP1240E792CA8067630A64161F4180@phx.gbl
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-bugs

On Wed, 14 Jul 2010 18:35:55 -0400
Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:

> Bruce Momjian <bruce(at)momjian(dot)us> writes:
> > Do the docs need any more updating?
>
> No doubt, but it's a bit premature to consider that while we're still
> arguing whether the code needs to change more.
>
> regards, tom lane
>

Sorry to bother everyone, but AFAICT this discussion kind of
disappeared. Did I perhaps get dropped from CC? I'm interested to know
what the final resolution of this is.

My own thought would be:
"host" means the thing you intended to connect to: a unique identifier
for the server, probably (usually) the hostname, and also the thing
that goes in a certificate. Should (probably) never be omitted.

"hostaddr" means the thing you actually send your TCP SYN packet to:
maybe an IP address if you want to save a DNS lookup, maybe even
"localhost" if you want to use an SSH tunnel (or even some other
hostname if you have an even stranger tunnel set up), but purely a
"network-layer" thing about *how to get to* the server, and not a
"user-trust-layer" thing about *who the server is*. If omitted,
defaults to being equal to "host".

I don't know if that's what was intended, but that's what I thought
they would mean.

Chris

In response to

Responses

Browse pgsql-bugs by date

  From Date Subject
Next Message Leslie Satenstein 2010-12-20 02:39:38 BUG #5795: 9.0.2 PDF needs editing
Previous Message Tom Lane 2010-12-19 20:34:47 Re: BUG #5794: 'explain' fails, but executing sql is ok.