Re: [GENERAL] Universal certificate for verify-full ssl connection
On Tue, May 31, 2011 at 12:44, Asia wrote: > > > W dniu 2011-05-31 11:09:10 użytkownik Magnus Hagander > napisał: >> On Tue, May 31, 2011 at 10:06, Craig Ringer >> wrote: >> > On 31/05/11 15:40, Asia wrote: >> > >> >> Would you please advise what I am doing wrong? Or maybe there is other >> >> way to generate wildcard certificate ? Or maybe this is a possible bug? >> > >> > I wouldn't be surprised if libpq didn't support wildcard certificates at >> > all. I doubt there's ever been any demand for them. >> >> It certainly does, and it's an important feature. >> >> However, it's not intended to be used with IPs, it's intended to be >> used with hostnames. The wildcard pattern has to start with "*." >> (including the dot) to be considered. Thus a simple '*' in the >> wildcard will not work, and anything starting with '*.' will never >> match all IPs. >> >> -- >> Magnus Hagander >> Me: http://www.hagander.net/ >> Work: http://www.redpill-linpro.com/ >> >> -- > > Thank you for your reply. Please have a look at the documentation below: > > http://www.postgresql.org/docs/9.0/interactive/libpq-ssl.html > > I clearly states: > > "In verify-full mode, the cn (Common Name) attribute of the certificate is > matched against the host name. If the cn attribute starts with an asterisk > (*), it will be treated as a wildcard, and will match all characters except a > dot (.). This means the certificate will not match subdomains. If the > connection is made using an IP address instead of a host name, the IP address > will be matched (without doing any DNS lookups)." Yes. Note that the IP address comment comes *after* the discussion of the wildcard one - the wildcards only work with hostnames. > It seems that some day someone wanted it to work like I need. > > Btw I have also tried *.*.*.* since it is stated that * does not match > subdomains and it still did not work. It is really important to have the > universal certificate to be able to match several IPs. No, we only match a single wildcard in a pattern. -- Magnus Hagander Me: http://www.hagander.net/ Work: http://www.redpill-linpro.com/ -- Sent via pgsql-general mailing list (pgsql-general@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
Re: [GENERAL] Universal certificate for verify-full ssl connection
On Tue, May 31, 2011 at 10:06, Craig Ringer wrote: > On 31/05/11 15:40, Asia wrote: > >> Would you please advise what I am doing wrong? Or maybe there is other way >> to generate wildcard certificate ? Or maybe this is a possible bug? > > I wouldn't be surprised if libpq didn't support wildcard certificates at > all. I doubt there's ever been any demand for them. It certainly does, and it's an important feature. However, it's not intended to be used with IPs, it's intended to be used with hostnames. The wildcard pattern has to start with "*." (including the dot) to be considered. Thus a simple '*' in the wildcard will not work, and anything starting with '*.' will never match all IPs. -- Magnus Hagander Me: http://www.hagander.net/ Work: http://www.redpill-linpro.com/ -- Sent via pgsql-general mailing list (pgsql-general@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
Re: [GENERAL] Universal certificate for verify-full ssl connection
On 31/05/11 15:40, Asia wrote: > Would you please advise what I am doing wrong? Or maybe there is other way to > generate wildcard certificate ? Or maybe this is a possible bug? I wouldn't be surprised if libpq didn't support wildcard certificates at all. I doubt there's ever been any demand for them. Have you checked in the source code? What version of libpq are you using, and what version of openssl is it compiled against? (Yes, this is an identical re-post in reply to your identical re-post. Try answering follow-up questions instead of just re-posting your original message! Also, please read http://wiki.postgresql.org/wiki/Guide_to_reporting_problems ) -- Craig Ringer -- Sent via pgsql-general mailing list (pgsql-general@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
[GENERAL] Universal certificate for verify-full ssl connection
Hi, I am trying to generate self-signed certificate for full ssl authentication. I need to have universal version of this certificate for development purposes (so any client can connect with any postgresql server with ssl on and verify-full flag). I am using IP while connecting, I mean host=. However verify-full connection works only in case "Common Name" in certificate contains only fully qualified IP address, when I try to set CN as * (asterisk) I receive error: server common name "*" does not match hostname "my_ip" According to the documentation here : http://www.postgresql.org/docs/current/static/libpq-ssl.html "If the connection is made using an IP address instead of a host name, the IP address will be matched (without doing any DNS lookups). " Would you please advise what I am doing wrong? Or maybe there is other way to generate wildcard certificate ? Or maybe this is a possible bug? Thanks in advance ! Joanna -- Sent via pgsql-general mailing list (pgsql-general@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
Re: [GENERAL] Universal certificate for verify-full ssl connection
On 05/30/2011 03:58 PM, Asia wrote: Would you please advise what I am doing wrong? Or maybe there is other way to generate wildcard certificate ? I wouldn't be surprised if libpq didn't support wildcard certificates at all. I doubt there's ever been any demand for them. Have you checked in the source code? What version of libpq are you using, and what version of openssl is it compiled against? -- Craig Ringer -- Sent via pgsql-general mailing list (pgsql-general@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
[GENERAL] Universal certificate for verify-full ssl connection
Hi, I am trying to generate self-signed certificate for full ssl authentication. I need to have universal version of this certificate for development purposes (so any client can connect with any postgresql server with ssl on). I am using IP while connecting, I mean host=. However verify-full connection works only in case "Common Name" in certificate contains only fully qualified IP address, when I try to set CN as * (asterisk) I receive error: server common name "*" does not match hostname "my_ip" According to the documentation here : http://www.postgresql.org/docs/current/static/libpq-ssl.html "If the connection is made using an IP address instead of a host name, the IP address will be matched (without doing any DNS lookups). " Would you please advise what I am doing wrong? Or maybe there is other way to generate wildcard certificate ? Thanks in advance ! Joanna -- Sent via pgsql-general mailing list (pgsql-general@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general