Edit the SSL and Kerberos parts of the release notes a bit, and add

a note about the certificates chains patch just applied.

Edit the SSL and Kerberos parts of the release notes a bit, and add
f3b507c8 · Magnus Hagander · d9ebc882 · f3b507c8
Commit f3b507c8 authored 15 years ago by Magnus Hagander
--- a/doc/src/sgml/release-8.4.sgml
+++ b/doc/src/sgml/release-8.4.sgml
-<!-- $PostgreSQL: pgsql/doc/src/sgml/release-8.4.sgml,v 1.1 2009/05/02 20:17:19 tgl Exp $ -->
+<!-- $PostgreSQL: pgsql/doc/src/sgml/release-8.4.sgml,v 1.2 2009/05/11 09:00:10 mha Exp $ -->
 <!-- See header comment in release.sgml about typical markup -->

 <sect1 id="release-8-4">
@@ -714,7 +714,7 @@
    </sect4>

    <sect4>
-     <title>Authentication</title>
+     <title>Authentication and security</title>
     <itemizedlist>

      <listitem>
@@ -738,6 +738,19 @@
       </para>
      </listitem>

+      <listitem>
+       <para>
+        Support <acronym>SSL</> certificate chains in server certificate
+        file (Andrew Gierth)
+       </para>
+
+       <para>
+        Including the full certificate chain makes the client able
+        to verify the certificate without having all intermediate CA
+        certificates present in the local store, which is often the case for
+        commercial CAs.
+       </para>
+      </listitem>
     </itemizedlist>

    </sect4>
@@ -2616,6 +2629,16 @@
       </para>
      </listitem>

+      <listitem>
+       <para>
+        Make Kerberos use the same method to determine the username of the
+        client as all other authentication methods (Magnus)
+       </para>
+
+       <para>
+        Previously a special Kerberos-only API was used.
+       </para>
+      </listitem>
     </itemizedlist>

    </sect4>
@@ -2637,11 +2660,25 @@
        connections. If a root certificate is not available to use for
        verification, <acronym>SSL</> connections will fail. The
        <literal>sslmode</> parameter is used to enable the certificate
-        verification.
+        verification and set the level.
+       </para>
+
+       <para>
+        The default is still not to do any verification, allowing connections
+        to SSL enabled servers without requiring a root certificate on the
+        client.
+       </para>
+      </listitem>
+
+      <listitem>
+       <para>
+        Support wildcard server certificates (Magnus)
       </para>

       <para>
-        The default is still not to do any verification.
+        If a certificate <acronym>CN</> starts with <literal>*</>, it will
+        be treated as a wildcard when matching the hostname, allowing the
+        use of the same certificate for multiple servers.
       </para>
      </listitem>