On Wed, Jul 14, 2010 at 00:09, Tom Lane <t...@sss.pgh.pa.us> wrote: > "Christopher Head" <chris2...@hotmail.com> writes: >> When establishing a connection to a PostgreSQL server using a connection >> string, there are two parameters that can be provided to specify where to >> connect to: "host" and "hostaddr". If both are provided, the documentation >> states that "hostaddr" is used to actually establish the socket (thus >> avoiding >> a potentially-expensive DNS lookup), while "host" is used for doing some >> Kerberos stuff. > >> It makes sense that in the case of an SSL connection with >> "sslmode=verify-full" (check that the server's certificate is signed by a >> trusted CA and has the >> correct hostname), if both parameters are provided, that "host" also be used >> for certificate checking. Unfortunately, as per line 536 of the file >> fe-secure.c in the PostgreSQL sources, if hostaddr is specified, SSL full >> verification just plain fails without trying at all. I suspect this line >> should be "if (!conn->pghost)" instead of "if (conn->pghostaddr)". > > That's really a definitional change, but it seems like a reasonable one > to me. Magnus, what do you think?
Yeah, I think it is, but I haven't had the time to look into the code yet to see if I agree with the fix as well. Hope to get there soon. -- Magnus Hagander Me: http://www.hagander.net/ Work: http://www.redpill-linpro.com/ -- Sent via pgsql-bugs mailing list (pgsql-bugs@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-bugs