Extra DNS name verification is made in verify-ca mode, making it effectively verify-full

[rshura]

Trying to connect to the db with verify-ca works if the address is IP, but fails if the address is a host name other than what's in the cacert.

It appears that this function is called in verify-ca scenario: https://github.com/lib/pq/blob/master/ssl.go#L185 and it explicitly checks the name. I don't think this is the desired behavior of verify-ca.

I'm also a little confused as to why any checks need to be made, since the TLS client handshake happens in the first line of the function. That handshake will or will not check the name, depending on InsecureSkipVerify value that is correctly set already.

Am I missing something obvious here? Thank you!

[evilensky]

Hi, I came here for an unrelated issue and found this, which I have also encountered. This is related but separate: even verify-full is implemented in a way that contradicts C libpq

In verify-full mode, the host name is matched against the certificate's Subject Alternative Name attribute(s) (SAN), or against the Common Name attribute if no SAN of type dNSName is present.

On go1.22 the current defaults reject the connection when "deprecated commonName attribute" is used in place of SAN.