Package: postgresql-client-9.1 Version: 9.1.2-1 Severity: minor I'm currently migrating machines to a new DNS domain. To ease migration I created X.509 certificates with old and new names:
> Subject: CN=db.new.domain > Extensions: > Subject Alternative Name (not critical): > DNSname: db.new.domain > DNSname: db.old.domain Now psql unfortunately does exactly as described in the documentation: > In verify-full mode, the cn (Common Name) attribute of the certificate is > matched against the host name. > $ psql service=db > psql: server common name "db.new.domain" does not match host name > "db.old.domain" .pg_service.conf: > [db] > host=db.old.domain > dbname=db > sslmode=verify-full > sslrootcert=/etc/ssl/certs/cacert.org.pem Server version is 8.4.10-0squeeze1, but that should not matter. Most other TLS clients work perfectly well with Subject Alternative Names. Please don't tell me to use only verify-ca or migrate all clients at once. Greetings Timo --- System information. --- Architecture: amd64 Kernel: Linux 3.1.0-1-amd64 Debian Release: wheezy/sid 890 testing security.debian.org --- Package information. --- Depends (Version) | Installed =================================================-+-===================== libc6 (>= 2.4) | 2.13-24 libedit2 (>= 2.11-20080614-1) | 2.11-20080614-3 libpq5 (>= 9.0~) | 9.1.2-1 libssl1.0.0 (>= 1.0.0) | 1.0.0e-3 zlib1g (>= 1:1.1.4) | 1:1.2.3.4.dfsg-3 postgresql-client-common (>= 115~) | 128 Package's Recommends field is empty. Suggests (Version) | Installed =================================-+-=========== postgresql-9.1 | 9.1.2-1 postgresql-doc-9.1 | 9.1.2-1
signature.asc
Description: This is a digitally signed message part.
