Follow the RFCs more closely in libpq server certificate hostname check.

The RFCs say that the CN must not be checked if a subjectAltName extension of type dNSName is present. IOW, if subjectAltName extension is present, but there are no dNSNames, we can still check the CN. Alexey Klyukin

Follow the RFCs more closely in libpq server certificate hostname check.
The RFCs say that the CN must not be checked if a subjectAltName extension of type dNSName is present. IOW, if subjectAltName extension is present, but there are no dNSNames, we can still check the CN. Alexey Klyukin
58e70cf9 · Heikki Linnakangas · 2df465e6 · 58e70cf9
Commit 58e70cf9 authored Sep 15, 2014 by Heikki Linnakangas
Hide whitespace changes
Inline Side-by-side

Showing with 5 additions and 4 deletions

src/interfaces/libpq/fe-secure-openssl.c src/interfaces/libpq/fe-secure-openssl.c +5 -4

No files found.
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -626,12 +626,13 @@ verify_peer_name_matches_certificate(PGconn *conn)
 		sk_GENERAL_NAME_free(peer_san);
 	}
 	/*
-	 * If there is no subjectAltName extension, check the Common Name.
+	 * If there is no subjectAltName extension of type dNSName, check the
+	 * Common Name.
 	 *
-	 * (Per RFC 2818 and RFC 6125, if the subjectAltName extension is present,
-	 * the CN must be ignored.)
+	 * (Per RFC 2818 and RFC 6125, if the subjectAltName extension of type
+	 * dNSName is present, the CN must be ignored.)
 	 */
-	else
+	if (names_examined == 0)
 	{
 		X509_NAME  *subject_name;