Re: Introducing SNI in TLS handshake for SSL connections

+++ Andreas Karlsson [11/12/18 18:18 +0100]:
>On 12/11/18 3:52 PM, Pablo Iranzo Gómez wrote:> I came to this old
>thread while trying to figure out on how to setup
>>postgres replication behind OpenShift/Kubernetes behind a route
>>(which only forwards 80 or 443 traffic), but could work if SNI is
>>supported on the client using it.
>>
>>I haven't found any further follow-up on this, but based on the
>>number of posts and questions on many sites on accessing postgres on
>>OpenShift/Kubernetes it could be something good to have supported.
>>
>>Any further information or plans?
>
>I am pretty sure nobody is working on this.
>
>It seems like it would be easy to implement (basically just call
>SSL_set_tlsext_host_name() with the right hostname) with the only
>issue being that we may need to add a new connection string
>parameter[1] because I doubt all users would want SNI enabled by
>default since PostgreSQL itself cannot do anything useful with the
>hostname, only some kind of TLS proxy can. Hopefully there wont be
>much bike shedding about the new connection parameter. :)
>
>Feel free to write a patch if you have the time and submit it to the
>next commitfest[2] for review.

Unfortunately I do not consider myself a coder, so if there is any way
to 'list' this as a 'nice to have' thing so that someone can take the
task and move it forward.

Thanks,
Pablo

>
>Notes:
>
>1. List of current options: https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-PARAMKEYWORDS
>2. https://wiki.postgresql.org/wiki/CommitFest
>
>Andreas
>

--

Pablo Iranzo Gómez (Pablo(dot)Iranzo(at)redhat(dot)com) GnuPG: 0x5BD8E1E4
Senior Software Engineer - Solutions Engineering iranzo @ IRC
RHC{A,SS,DS,VA,E,SA,SP,AOSP}, JBCAA #110-215-852 RHCA Level V

Blog: https://iranzo.github.io https://citellus.org