rdelaage
/
postgresql
mirror of https://git.postgresql.org/git/postgresql.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Document use of Subject Alternative Names in SSL server certificates. 

Commit acd08d764 did not bother with updating the documentation.
This commit is contained in:
Tom Lane 2015-12-15 16:57:23 -05:00
parent bfc7f5dd5d
commit 0625dbb0b9
1 changed files with 6 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
doc/src/sgml/libpq.sgml
View File

@ -7296,10 +7296,12 @@ ldap://ldap.acme.com/cn=dbserver,cn=hosts?pgconnectinfo?base?(objectclass=*)
</para>
<para>
In <literal>verify-full</> mode, the <literal>cn</> (Common Name) attribute
of the certificate is matched against the host name. If the <literal>cn</>
attribute starts with an asterisk (<literal>*</>), it will be treated as
a wildcard, and will match all characters <emphasis>except</> a dot
In <literal>verify-full</> mode, the host name is matched against the
certificate's Subject Alternative Name attribute(s), or against the
Common Name attribute if no Subject Alternative Name of type dNSName is
present. If the certificate's name attribute starts with an asterisk
(<literal>*</>), the asterisk will be treated as
a wildcard, which will match all characters <emphasis>except</> a dot
(<literal>.</>). This means the certificate will not match subdomains.
If the connection is made using an IP address instead of a host name, the
IP address will be matched (without doing any DNS lookups).