Follow the RFCs more closely in libpq server certificate hostname check.

hlinnaka · hlinnaka · commit 58e70cf9fb42 · 2014-09-15T16:16:06.000+03:00
The RFCs say that the CN must not be checked if a subjectAltName extension
of type dNSName is present. IOW, if subjectAltName extension is present,
but there are no dNSNames, we can still check the CN.

Alexey Klyukin
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
@@ -626,12 +626,13 @@ verify_peer_name_matches_certificate(PGconn *conn)
 		sk_GENERAL_NAME_free(peer_san);
 	}
 	/*
-	 * If there is no subjectAltName extension, check the Common Name.
+	 * If there is no subjectAltName extension of type dNSName, check the
+	 * Common Name.
 	 *
-	 * (Per RFC 2818 and RFC 6125, if the subjectAltName extension is present,
-	 * the CN must be ignored.)
+	 * (Per RFC 2818 and RFC 6125, if the subjectAltName extension of type
+	 * dNSName is present, the CN must be ignored.)
 	 */
-	else
+	if (names_examined == 0)
 	{
 		X509_NAME  *subject_name;
 

Original file line number	Diff line number	Diff line change
`@@ -626,12 +626,13 @@ verify_peer_name_matches_certificate(PGconn *conn)`
`626`	`626`	`sk_GENERAL_NAME_free(peer_san);`
`627`	`627`	`}`
`628`	`628`	`/*`
`629`		`- * If there is no subjectAltName extension, check the Common Name.`
	`629`	`+ * If there is no subjectAltName extension of type dNSName, check the`
	`630`	`+ * Common Name.`
`630`	`631`	`*`
`631`		`- * (Per RFC 2818 and RFC 6125, if the subjectAltName extension is present,`
`632`		`- * the CN must be ignored.)`
	`632`	`+ * (Per RFC 2818 and RFC 6125, if the subjectAltName extension of type`
	`633`	`+ * dNSName is present, the CN must be ignored.)`
`633`	`634`	`*/`
`634`		`- else`
	`635`	`+ if (names_examined == 0)`
`635`	`636`	`{`
`636`	`637`	`X509_NAME *subject_name;`
`637`	`638`