Closed jackwotherspoon closed 2 months ago
We need to hold off on this until PSC DNS is populated in all existing certificates.
Via @jackwotherspoon
"HostName" contains the fully qualified DNS hostname of the server, as understood by the client. The hostname is represented as a byte string using ASCII encoding without a trailing dot.
TLDR;
For wrap_socket
and passing it to SSLContext, the trailing dot is invalid. However, the hostname match requires a perfect match to the DNS entry in the SAN which has the trailing dot. Thus, here we are, stuck with the hostname match failing.
Going to close this for now. We'll need to revisit some server settings I think.
For Cloud SQL we need to disable checking hostname of ssl handshake because IP address does not match SAN. However, for AlloyDB this is not the case and the IP address can be validated as the host name.
Fixes #324