From: Heikki Linnakangas <heikki.linnakangas@iki.fi>
Date: Mon, 15 Sep 2014 13:14:24 +0000 (+0300)
Subject: Follow the RFCs more closely in libpq server certificate hostname check.
X-Git-Tag: REL9_5_ALPHA1~1461
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=58e70cf9fb42c1ad60b8ba730fd129f2ce6fa332;p=thirdparty%2Fpostgresql.git

Follow the RFCs more closely in libpq server certificate hostname check.

The RFCs say that the CN must not be checked if a subjectAltName extension
of type dNSName is present. IOW, if subjectAltName extension is present,
but there are no dNSNames, we can still check the CN.

Alexey Klyukin
---

diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 98d02b6b634..78aa46de2f3 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -626,12 +626,13 @@ verify_peer_name_matches_certificate(PGconn *conn)
 		sk_GENERAL_NAME_free(peer_san);
 	}
 	/*
-	 * If there is no subjectAltName extension, check the Common Name.
+	 * If there is no subjectAltName extension of type dNSName, check the
+	 * Common Name.
 	 *
-	 * (Per RFC 2818 and RFC 6125, if the subjectAltName extension is present,
-	 * the CN must be ignored.)
+	 * (Per RFC 2818 and RFC 6125, if the subjectAltName extension of type
+	 * dNSName is present, the CN must be ignored.)
 	 */
-	else
+	if (names_examined == 0)
 	{
 		X509_NAME  *subject_name;