On Monday 24 November 2008 16:55:17 Magnus Hagander wrote: > > Then again, having looked into the libpq source now, is using fnmatch() > > even appropriate here? The matching rules for https are in RFC 2818:
> > Using fnmatch(), however, will also treat ? and [] special and it will > > not follow the "any single domain name component" rule. > I guess it's back to the drawingboard. Can probably still base it on the > fnmatch stuff, but it'll need to be ripped apart. Basically, it should > match only with *, and * should not match "." - do you agree that's a > reasonable interpretation? Some more information on this: https://www.switch.ch/pki/meetings/2007-01/namebased_ssl_virtualhosts.pdf slide 5 lists the matching rules for email, HTTP, and LDAP over TLS, respectively, which are not all the same. Also note that these methods have rules for interpreting fields in the certificate other than the common name for the host name. I think it is safest and easiest to allow a * wildcard only as the first character and only when followed immediately by a dot. Maybe some DNS expert around here can offer advice on what a morally sound solution would be. -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers