Search Postgresql Archives

Re: Universal certificate for verify-full ssl connection

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, May 31, 2011 at 12:44, Asia <asia123321@xxxxx> wrote:
>
>
> W dniu 2011-05-31 11:09:10 użytkownik Magnus Hagander <magnus@xxxxxxxxxxxx> napisał:
>> On Tue, May 31, 2011 at 10:06, Craig Ringer <craig@xxxxxxxxxxxxxxxxxxxxx> wrote:
>> > On 31/05/11 15:40, Asia wrote:
>> >
>> >> Would you please advise what I am doing wrong? Or maybe there is other way to generate wildcard certificate ? Or maybe this is a possible bug?
>> >
>> > I wouldn't be surprised if libpq didn't support wildcard certificates at
>> > all. I doubt there's ever been any demand for them.
>>
>> It certainly does, and it's an important feature.
>>
>> However, it's not intended to be used with IPs, it's intended to be
>> used with hostnames. The wildcard pattern has to start with "*."
>> (including the dot) to be considered. Thus a simple '*' in the
>> wildcard will not work, and anything starting with '*.' will never
>> match all IPs.
>>
>> --
>>  Magnus Hagander
>>  Me: http://www.hagander.net/
>>  Work: http://www.redpill-linpro.com/
>>
>> --
>
> Thank you for your reply. Please have a look at the documentation below:
>
> http://www.postgresql.org/docs/9.0/interactive/libpq-ssl.html
>
> I clearly states:
>
> "In verify-full mode, the cn (Common Name) attribute of the certificate is matched against the host name. If the cn attribute starts with an asterisk (*), it will be treated as a wildcard, and will match all characters except a dot (.). This means the certificate will not match subdomains. If the connection is made using an IP address instead of a host name, the IP address will be matched (without doing any DNS lookups)."

Yes. Note that the IP address comment comes *after* the discussion of
the wildcard one - the wildcards only work with hostnames.

> It seems that some day someone wanted it to work like I need.
>
> Btw I have also tried *.*.*.* since it is stated that * does not match subdomains and it still did not work. It is really important to have the universal certificate to be able to match several IPs.

No, we only match a single wildcard in a pattern.


-- 
 Magnus Hagander
 Me: http://www.hagander.net/
 Work: http://www.redpill-linpro.com/

-- 
Sent via pgsql-general mailing list (pgsql-general@xxxxxxxxxxxxxx)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Postgresql Jobs]     [Postgresql Admin]     [Postgresql Performance]     [Linux Clusters]     [PHP Home]     [PHP on Windows]     [Kernel Newbies]     [PHP Classes]     [PHP Books]     [PHP Databases]     [Postgresql & PHP]     [Yosemite]
  Powered by Linux