Обсуждение: Universal certificate for verify-full ssl connection
Hi, I am trying to generate self-signed certificate for full ssl authentication. I need to have universal version of this certificatefor development purposes (so any client can connect with any postgresql server with ssl on and verify-full flag). I am using IP while connecting, I mean host=<IP>. However verify-full connection works only in case "Common Name" in certificate contains only fully qualified IP address,when I try to set CN as * (asterisk) I receive error: server common name "*" does not match hostname "my_ip" According to the documentation here : http://www.postgresql.org/docs/current/static/libpq-ssl.html "If the connection is made using an IP address instead of a host name, the IP address will be matched (without doing anyDNS lookups). " Would you please advise what I am doing wrong? Or maybe there is other way to generate wildcard certificate ? Or maybe thisis a possible bug? Thanks in advance ! Joanna
On 31/05/11 15:40, Asia wrote: > Would you please advise what I am doing wrong? Or maybe there is other way to generate wildcard certificate ? Or maybethis is a possible bug? I wouldn't be surprised if libpq didn't support wildcard certificates at all. I doubt there's ever been any demand for them. Have you checked in the source code? What version of libpq are you using, and what version of openssl is it compiled against? (Yes, this is an identical re-post in reply to your identical re-post. Try answering follow-up questions instead of just re-posting your original message! Also, please read http://wiki.postgresql.org/wiki/Guide_to_reporting_problems ) -- Craig Ringer
On Tue, May 31, 2011 at 10:06, Craig Ringer <craig@postnewspapers.com.au> wrote: > On 31/05/11 15:40, Asia wrote: > >> Would you please advise what I am doing wrong? Or maybe there is other way to generate wildcard certificate ? Or maybethis is a possible bug? > > I wouldn't be surprised if libpq didn't support wildcard certificates at > all. I doubt there's ever been any demand for them. It certainly does, and it's an important feature. However, it's not intended to be used with IPs, it's intended to be used with hostnames. The wildcard pattern has to start with "*." (including the dot) to be considered. Thus a simple '*' in the wildcard will not work, and anything starting with '*.' will never match all IPs. -- Magnus Hagander Me: http://www.hagander.net/ Work: http://www.redpill-linpro.com/
On Tue, May 31, 2011 at 12:44, Asia <asia123321@op.pl> wrote: > > > W dniu 2011-05-31 11:09:10 użytkownik Magnus Hagander <magnus@hagander.net> napisał: >> On Tue, May 31, 2011 at 10:06, Craig Ringer <craig@postnewspapers.com.au> wrote: >> > On 31/05/11 15:40, Asia wrote: >> > >> >> Would you please advise what I am doing wrong? Or maybe there is other way to generate wildcard certificate ? Or maybethis is a possible bug? >> > >> > I wouldn't be surprised if libpq didn't support wildcard certificates at >> > all. I doubt there's ever been any demand for them. >> >> It certainly does, and it's an important feature. >> >> However, it's not intended to be used with IPs, it's intended to be >> used with hostnames. The wildcard pattern has to start with "*." >> (including the dot) to be considered. Thus a simple '*' in the >> wildcard will not work, and anything starting with '*.' will never >> match all IPs. >> >> -- >> Magnus Hagander >> Me: http://www.hagander.net/ >> Work: http://www.redpill-linpro.com/ >> >> -- > > Thank you for your reply. Please have a look at the documentation below: > > http://www.postgresql.org/docs/9.0/interactive/libpq-ssl.html > > I clearly states: > > "In verify-full mode, the cn (Common Name) attribute of the certificate is matched against the host name. If the cn attributestarts with an asterisk (*), it will be treated as a wildcard, and will match all characters except a dot (.). Thismeans the certificate will not match subdomains. If the connection is made using an IP address instead of a host name,the IP address will be matched (without doing any DNS lookups)." Yes. Note that the IP address comment comes *after* the discussion of the wildcard one - the wildcards only work with hostnames. > It seems that some day someone wanted it to work like I need. > > Btw I have also tried *.*.*.* since it is stated that * does not match subdomains and it still did not work. It is reallyimportant to have the universal certificate to be able to match several IPs. No, we only match a single wildcard in a pattern. -- Magnus Hagander Me: http://www.hagander.net/ Work: http://www.redpill-linpro.com/