At Fri, 18 Mar 2022 16:38:57 +0900 (JST), Kyotaro Horiguchi <horikyota....@gmail.com> wrote in > At Thu, 17 Mar 2022 21:55:07 +0000, Jacob Champion <pchamp...@vmware.com> > wrot> Thanks! .. and some nitpicks..(Sorry) > > fe-secure-common.c doesn't need netinet/in.h. > > > +++ b/src/include/utils/inet.h > .. > +#include "common/inet-common.h" > > I'm not sure about the project policy on #include practice, but I > think it is the common practice not to include headers that are not > required by the file itself. In this case, fe-secure-common.h itself > doesn't need the include. Instead, fe-secure-openssl.c and > fe-secure-common.c needs the include.
I noticed that this doesn't contain doc changes. https://www.postgresql.org/docs/current/libpq-ssl.html > In verify-full mode, the host name is matched against the > certificate's Subject Alternative Name attribute(s), or against the > Common Name attribute if no Subject Alternative Name of type dNSName > is present. If the certificate's name attribute starts with an > asterisk (*), the asterisk will be treated as a wildcard, which will > match all characters except a dot (.). This means the certificate will > not match subdomains. If the connection is made using an IP address > instead of a host name, the IP address will be matched (without doing > any DNS lookups). This refers to dNSName, so we should revise this so that it describes the new behavior. regards. -- Kyotaro Horiguchi NTT Open Source Software Center
