public inbox for [email protected]
help / color / mirror / Atom feedFrom: Jacob Champion <[email protected]>
To: [email protected] <[email protected]>
To: [email protected] <[email protected]>
To: [email protected] <[email protected]>
Cc: [email protected] <[email protected]>
Cc: [email protected] <[email protected]>
Cc: [email protected] <[email protected]>
Subject: Re: [PATCH] Accept IP addresses in server certificate SANs
Date: Wed, 30 Mar 2022 16:17:18 +0000
Message-ID: <[email protected]> (raw)
In-Reply-To: <[email protected]>
References: <[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
On Wed, 2022-03-30 at 13:37 +0200, Peter Eisentraut wrote:
> On 28.03.22 22:21, Jacob Champion wrote:
> > On Mon, 2022-03-28 at 11:17 +0200, Daniel Gustafsson wrote:
> > > Fixing up the switch_server_cert() calls and using default_ssl_connstr makes
> > > the test pass for me. The required fixes are in the supplied 0004 diff, I kept
> > > them separate to allow the original author to incorporate them without having
> > > to dig them out to see what changed (named to match the git format-patch output
> > > since I think the CFBot just applies the patches in alphabetical order).
> >
> > Thanks! Those changes look good to me; I've folded them into v11. This
> > is rebased on a newer HEAD so it should fix the apply failures that
> > Greg pointed out.
>
> I'm not happy about how inet_net_pton.o is repurposed here. That code
> is clearly meant to support backend data types with specifically. Code like
>
> + /*
> + * pg_inet_net_pton() will accept CIDR masks, which we don't want to
> + * match, so skip the comparison if the host string contains a slash.
> + */
>
> indicates that we are fighting against the API.
Horiguchi-san had the same concern upthread, I think. I replaced that
code in the next patch, but it was enough net-new stuff that I kept the
patches separate instead of merging them. I can change that if it's not
helpful for review.
> Also, if someone ever
> wants to change how those backend data types work, we then have to check
> a bunch of other code as well.
>
> I think we should be using inet_ntop()/inet_pton() directly here. We
> can throw substitute implementations into libpgport if necessary, that's
> not so difficult.
Is this request satisfied by the implementation of pg_inet_pton() in
patch 0003? If not, what needs to change?
Thanks,
--Jacob
view thread (25+ messages) latest in thread
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected], [email protected], [email protected], [email protected]
Subject: Re: [PATCH] Accept IP addresses in server certificate SANs
In-Reply-To: <[email protected]>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox