At Tue, 22 Mar 2022 20:42:37 +0000, Jacob Champion <pchampion@vmware.com> wrote in
> Thanks, looks like I had some old header dependencies left over from
> several versions ago. Fixed in v9.
Thanks! Looks perfect.
> v9 contains the bare minimum but I don't think it's quite enough. How
> much of the behavior (and edge cases) do you think we should detail
> here? All of it?
I tried to write out the doc part. What do you think about it?
regards.
--
Kyotaro Horiguchi
NTT Open Source Software Center
diff --git a/doc/src/sgml/libpq.sgml b/doc/src/sgml/libpq.sgml
index 3998b1781b..13e3e63768 100644
--- a/doc/src/sgml/libpq.sgml
+++ b/doc/src/sgml/libpq.sgml
@@ -8342,16 +8342,31 @@ ldap://ldap.acme.com/cn=dbserver,cn=hosts?pgconnectinfo?base?(objectclass=*)
<para>
In <literal>verify-full</literal> mode, the host name is matched against the
- certificate's Subject Alternative Name attribute(s), or against the
- Common Name attribute if no Subject Alternative Name of type <literal>dNSName</literal> is
+ certificate's Subject Alternative Name attribute(s) (SAN), or against the
+ Common Name attribute if no SAN of type <literal>dNSName</literal> is
present. If the certificate's name attribute starts with an asterisk
(<literal>*</literal>), the asterisk will be treated as
a wildcard, which will match all characters <emphasis>except</emphasis> a dot
(<literal>.</literal>). This means the certificate will not match subdomains.
If the connection is made using an IP address instead of a host name, the
- IP address will be matched (without doing any DNS lookups).
+ IP address will be matched (without doing any DNS lookups) against SANs of
+ type <literal>iPAddress</literal> or <literal>dNSName</literal>. If no
+ <literal>ipAddress</literal> SAN is present and no
+ matching <literal>dNSName</literal> SAN is present, the host IP address is
+ matched against the Common Name attribute.
</para>
+ <note>
+ <para>
+ For backward compatibility with earlier versions of PostgreSQL, the host
+ IP address is verified in a manner different
+ from <ulink url="https://tools.ietf.org/html/rfc6125">RFC 6125</ulink>.
+ The host IP address is always matched against <literal>dNSName</literal>
+ SANs as well as <literal>iPAdress</literal> SANs, and can be matched
+ against the Common Name attribute for a certain condition.
+ </para>
+ </note>
+
<para>
To allow server certificate verification, one or more root certificates
must be placed in the file <filename>~/.postgresql/root.crt</filename>