| From: | Matthias van de Meent <boekewurm+postgres(at)gmail(dot)com> |
|---|---|
| To: | Peter Eisentraut <peter(dot)eisentraut(at)enterprisedb(dot)com> |
| Cc: | pgsql-hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: SSL SNI |
| Date: | 2021-02-15 14:28:23 |
| Message-ID: | CAEze2Wgdy1ROjOBsFvYKmNiHc9nw3xBLqjpz9NcZBo+5NP14Kw@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Mon, 15 Feb 2021 at 15:09, Peter Eisentraut
<peter(dot)eisentraut(at)enterprisedb(dot)com> wrote:
>
> A customer asked about including Server Name Indication (SNI) into the
> SSL connection from the client, so they can use an SSL-aware proxy to
> route connections. There was a thread a few years ago where this was
> briefly discussed but no patch appeared.[0] I whipped up a quick patch
> and it did seem to do the job, so I figured I'd share it here.
The same topic of SSL-aware proxying based on SNI was mentioned in a
more recent thread here [0]. The state of that patch is unclear,
though. Other than that, this feature seems useful.
+ /*
+ * Set Server Name Indication (SNI), but not if it's a literal IP address.
+ * (RFC 6066)
+ */
+ if (!((conn->pghost[0] >= '0' && conn->pghost[0] <= '9') ||
strchr(conn->pghost, ':')))
'1one.example.com' is a valid hostname, but would fail this trivial
test, and thus would not have SNI enabled on its connection.
With regards,
Matthias van de Meent
[0] https://www.postgresql.org/message-id/flat/37846a5e-bb5e-0c4f-3ee8-54fb4bd02fab%40gmx.de
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tomas Vondra | 2021-02-15 14:37:01 | Re: WIP: BRIN multi-range indexes |
| Previous Message | vignesh C | 2021-02-15 14:20:09 | Re: logical replication seems broken |