Open mszlgr opened 1 year ago
The verify-ca
option has always set DNSName
during verify, but I agree, we don't want name verification in this function.
The behavior of DNSName
wasn't documented until Go 1.15, so I suspect it was required at some point.
It looks like another case for sslsni=1
might cover this at the end of TestSSLVerifyCA
. https://github.com/lib/pq/blob/922c00e176fb3960d912dc2c7f67ea2cf18d27b0/ssl_test.go#L158-L159
The
verify-ca
option has always setDNSName
during verify, but I agree, we don't want name verification in this function.
I was just hit by this. Looks like verify-ca
requires the CN to match now. What's the correct fix here? Not setting DNSName
at all? Do you want me to open a PR? (Though I don't feel like I have enough context here to write a good commit message.)
After updating from 1.10.6 to 1.10.7 I found that when using
sslmode=verify-ca
mode:client.ConnectionState().ServerName
in this part of code has value ofhost
parameter from db connection stringverify-ca
option, throwingx509: “*.<host>” certificate name does not match input
In version 1.10.6 sslVerifyCertificateAuthority function was using empty string in its place, ignoring verification of leaf certificate.
I would like to be able to use
sslsni
option and on same time useverify-ca
option.