Re: [PATCH v1] Add ssl_alt_cert_file/ssl_alt_key_file for dual RSA+ECDSA certificate support

Hi Jacob,

> raw TLS connections are possible since PG17; see sslnegotiation=direct.

Good point, I wasn't aware of sslnegotiation=direct.  I tested the
proxy workaround on RHEL 9.8 with PG 18 and can confirm it works,
with some caveats:

nginx works as a TLS-terminating proxy with dual RSA+ECDSA certs,
but it requires nginx >= 1.21.4 for the ssl_alpn directive in the
stream module (PG 18 psql rejects direct SSL connections without ALPN
negotiation).  RHEL 9's base nginx is 1.20 which lacks this, but the
1.24 modular package works.  The nginx config is straightforward:

    stream {
        server {
            listen 5433 ssl;
            ssl_certificate     server-rsa.crt;
            ssl_certificate_key server-rsa.key;
            ssl_certificate     server-ecdsa.crt;
            ssl_certificate_key server-ecdsa.key;
            ssl_alpn postgresql;
            proxy_pass 127.0.0.1:5432;
        }
    }

haproxy 2.8 supports ALPN (so psql connects), but doesn't do proper
dual cert selection — only one cert type is served regardless of the
negotiated cipher.

So the workaround is viable with the right nginx version, but it does
require:
- PG 17+ clients (sslnegotiation=direct)
- nginx >= 1.21.4 with stream + ssl_alpn
- hostnossl trust in pg_hba.conf for proxy connections

Native support avoids the proxy dependency and works with all clients
regardless of version or sslnegotiation support.  I've updated the
patch description accordingly — thanks for the correction.

Renaud

Le 16/06/2026 à 5:17 PM, Jacob Champion a écrit :
> On Fri, Jun 12, 2026 at 3:05 AM Renaud Métrich <rmetrich(at)redhat(dot)com> wrote:
>> there is no viable workaround
>> — TLS-terminating proxies don't work because PostgreSQL uses an
>> in-protocol SSL upgrade rather than raw TLS connections.
> (Haven't looked at the patch, but raw TLS connections are possible
> since PG17; see sslnegotiation=direct.)
>
> --Jacob
>