diff options
| -rw-r--r-- | doc/src/sgml/libpq.sgml | 10 |
1 files changed, 6 insertions, 4 deletions
diff --git a/doc/src/sgml/libpq.sgml b/doc/src/sgml/libpq.sgml index 79047b37611..9e21e3d6fd3 100644 --- a/doc/src/sgml/libpq.sgml +++ b/doc/src/sgml/libpq.sgml @@ -7252,10 +7252,12 @@ ldap://ldap.acme.com/cn=dbserver,cn=hosts?pgconnectinfo?base?(objectclass=*) </para> <para> - In <literal>verify-full</> mode, the <literal>cn</> (Common Name) attribute - of the certificate is matched against the host name. If the <literal>cn</> - attribute starts with an asterisk (<literal>*</>), it will be treated as - a wildcard, and will match all characters <emphasis>except</> a dot + In <literal>verify-full</> mode, the host name is matched against the + certificate's Subject Alternative Name attribute(s), or against the + Common Name attribute if no Subject Alternative Name of type dNSName is + present. If the certificate's name attribute starts with an asterisk + (<literal>*</>), the asterisk will be treated as + a wildcard, which will match all characters <emphasis>except</> a dot (<literal>.</>). This means the certificate will not match subdomains. If the connection is made using an IP address instead of a host name, the IP address will be matched (without doing any DNS lookups). |