Document use of Subject Alternative Names in SSL server certificates.
Commit acd08d764
did not bother with updating the documentation.
This commit is contained in:
parent
bfc7f5dd5d
commit
0625dbb0b9
|
@ -7296,10 +7296,12 @@ ldap://ldap.acme.com/cn=dbserver,cn=hosts?pgconnectinfo?base?(objectclass=*)
|
||||||
</para>
|
</para>
|
||||||
|
|
||||||
<para>
|
<para>
|
||||||
In <literal>verify-full</> mode, the <literal>cn</> (Common Name) attribute
|
In <literal>verify-full</> mode, the host name is matched against the
|
||||||
of the certificate is matched against the host name. If the <literal>cn</>
|
certificate's Subject Alternative Name attribute(s), or against the
|
||||||
attribute starts with an asterisk (<literal>*</>), it will be treated as
|
Common Name attribute if no Subject Alternative Name of type dNSName is
|
||||||
a wildcard, and will match all characters <emphasis>except</> a dot
|
present. If the certificate's name attribute starts with an asterisk
|
||||||
|
(<literal>*</>), the asterisk will be treated as
|
||||||
|
a wildcard, which will match all characters <emphasis>except</> a dot
|
||||||
(<literal>.</>). This means the certificate will not match subdomains.
|
(<literal>.</>). This means the certificate will not match subdomains.
|
||||||
If the connection is made using an IP address instead of a host name, the
|
If the connection is made using an IP address instead of a host name, the
|
||||||
IP address will be matched (without doing any DNS lookups).
|
IP address will be matched (without doing any DNS lookups).
|
||||||
|
|
Loading…
Reference in New Issue