The following bug has been logged online: Bug reference: 5868 Logged by: Christopher Head Email address: chris2...@hotmail.com PostgreSQL version: 9.0.1 Operating system: Linux amd64 Description: Client ignores X.509 subject alternative name Details:
This is more of a wishlist/feature-request than an actual bug. The X.509v3 certificate standard allows an extension field called the "subject alternative name". This field can contain a list of names that should be considered as legitimate names for the entity to which the certificate belongs. Specifically, if an alternative name is of the form "DNS:some.domain.name.tld", then the certificate should be treated as though legitimate for the domain "some.domain.name.tld", just as if that domain were in the common name field of the subject distinguished name. Right now, the psql client (probably libpq) doesn't look at this certificate extension; rather, it only checks if the subject distinguished name common name field matches the requested hostname. It would be nice if the alternative names could be checked also (modern Web browsers all seem to check the extension fine when using the certificate for HTTPS). What this allows is for the common name to have a human-readable name instead of a hostname, with the hostnames stuffed into the alternative names list. While this is pretty much irrelevant for PostgreSQL connections, when sharing a certificate with a Web server, browsers will show the human-readable distinguished name, which is nice. Therefore, it would be preferable for the PostgreSQL clients to also honour this field. -- Sent via pgsql-bugs mailing list (pgsql-bugs@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-bugs