Re: Broken SSL tests in master

On Thu, Nov 24, 2016 at 4:38 PM, Andreas Karlsson <andreas(at)proxel(dot)se> wrote:
> As you can see, after the patch libpq will now look at hostaddr rather than
> host when validating the server certificate because that is what is stored
> in the first (and only) entry of conn->connhost, and therefore what PQhost()
> return.
>
> To me it feels like the proper fix would be to make PQHost() return the
> value of the host parameter rather than the hostaddr (maybe add a new field
> in the pg_conn_host struct). But would be a behaviour change which might
> break someones application. Thoughts?

I think that the blame here is on the original commit,
274bb2b3857cc987cfa21d14775cae9b0dababa5, which inadvertently changed
the behavior of PQhost. Prior to that commit, even if "hostaddr" was
used, PQhost would still return whatever value was associated with the
"host" parameter, but now it ignores "host" and returns "hostaddr"
instead. That's busted. I've pushed a trivial fix, and the SSL tests
now pass for me.

It might be that (as suggested downthread) we should consider
supporting multiple IPs in the hostaddr string as well, but that
requires some thought. For example, what happens if, for example, the
host and hostaddr lists are of unequal length? Would we accept one
host and >1 hostaddrs? Probably makes sense to just apply the host to
every hostaddr. >1 host and 1 hostaddr? Probably doesn't make sense,
but I guess you could argue for it. Equal length lists definitely
make sense.

--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company