You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm also a little confused as to why any checks need to be made, since the TLS client handshake happens in the first line of the function. That handshake will or will not check the name, depending on InsecureSkipVerify value that is correctly set already.
Am I missing something obvious here? Thank you!
The text was updated successfully, but these errors were encountered:
Hi, I came here for an unrelated issue and found this, which I have also encountered. This is related but separate: even verify-full is implemented in a way that contradicts C libpq
In verify-full mode, the host name is matched against the certificate's Subject Alternative Name attribute(s) (SAN), or against the Common Name attribute if no SAN of type dNSName is present.
On go1.22 the current defaults reject the connection when "deprecated commonName attribute" is used in place of SAN.
Trying to connect to the db with
verify-ca
works if the address is IP, but fails if the address is a host name other than what's in the cacert.It appears that this function is called in
verify-ca
scenario: https://github.com/lib/pq/blob/master/ssl.go#L185 and it explicitly checks the name. I don't think this is the desired behavior ofverify-ca
.I'm also a little confused as to why any checks need to be made, since the TLS client handshake happens in the first line of the function. That handshake will or will not check the name, depending on
InsecureSkipVerify
value that is correctly set already.Am I missing something obvious here? Thank you!
The text was updated successfully, but these errors were encountered: