Document use of Subject Alternative Names in SSL server certificates.

Commit acd08d76 did not bother with updating the documentation.

Document use of Subject Alternative Names in SSL server certificates.
Commit acd08d76 did not bother with updating the documentation.
0625dbb0 · Tom Lane · bfc7f5dd · 0625dbb0
Commit 0625dbb0 authored Dec 15, 2015 by Tom Lane
Hide whitespace changes
Inline Side-by-side

Showing with 6 additions and 4 deletions

doc/src/sgml/libpq.sgml doc/src/sgml/libpq.sgml +6 -4

No files found.
--- a/doc/src/sgml/libpq.sgml
+++ b/doc/src/sgml/libpq.sgml
@@ -7296,10 +7296,12 @@ ldap://ldap.acme.com/cn=dbserver,cn=hosts?pgconnectinfo?base?(objectclass=*)
  </para>
  <para>
-   In <literal>verify-full</> mode, the <literal>cn</> (Common Name) attribute
+   In <literal>verify-full</> mode, the host name is matched against the
-   of the certificate is matched against the host name. If the <literal>cn</>
+   certificate's Subject Alternative Name attribute(s), or against the
-   attribute starts with an asterisk (<literal>*</>), it will be treated as
+   Common Name attribute if no Subject Alternative Name of type dNSName is
-   a wildcard, and will match all characters <emphasis>except</> a dot
+   present.  If the certificate's name attribute starts with an asterisk
+   (<literal>*</>), the asterisk will be treated as
+   a wildcard, which will match all characters <emphasis>except</> a dot
   (<literal>.</>). This means the certificate will not match subdomains.
   If the connection is made using an IP address instead of a host name, the
   IP address will be matched (without doing any DNS lookups).