On Tue, May 31, 2011 at 12:44, Asia <asia123321@xxxxx> wrote: > > > W dniu 2011-05-31 11:09:10 użytkownik Magnus Hagander <magnus@xxxxxxxxxxxx> napisał: >> On Tue, May 31, 2011 at 10:06, Craig Ringer <craig@xxxxxxxxxxxxxxxxxxxxx> wrote: >> > On 31/05/11 15:40, Asia wrote: >> > >> >> Would you please advise what I am doing wrong? Or maybe there is other way to generate wildcard certificate ? Or maybe this is a possible bug? >> > >> > I wouldn't be surprised if libpq didn't support wildcard certificates at >> > all. I doubt there's ever been any demand for them. >> >> It certainly does, and it's an important feature. >> >> However, it's not intended to be used with IPs, it's intended to be >> used with hostnames. The wildcard pattern has to start with "*." >> (including the dot) to be considered. Thus a simple '*' in the >> wildcard will not work, and anything starting with '*.' will never >> match all IPs. >> >> -- >> Magnus Hagander >> Me: http://www.hagander.net/ >> Work: http://www.redpill-linpro.com/ >> >> -- > > Thank you for your reply. Please have a look at the documentation below: > > http://www.postgresql.org/docs/9.0/interactive/libpq-ssl.html > > I clearly states: > > "In verify-full mode, the cn (Common Name) attribute of the certificate is matched against the host name. If the cn attribute starts with an asterisk (*), it will be treated as a wildcard, and will match all characters except a dot (.). This means the certificate will not match subdomains. If the connection is made using an IP address instead of a host name, the IP address will be matched (without doing any DNS lookups)." Yes. Note that the IP address comment comes *after* the discussion of the wildcard one - the wildcards only work with hostnames. > It seems that some day someone wanted it to work like I need. > > Btw I have also tried *.*.*.* since it is stated that * does not match subdomains and it still did not work. It is really important to have the universal certificate to be able to match several IPs. No, we only match a single wildcard in a pattern. -- Magnus Hagander Me: http://www.hagander.net/ Work: http://www.redpill-linpro.com/ -- Sent via pgsql-general mailing list (pgsql-general@xxxxxxxxxxxxxx) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
