| From: | Zsolt Parragi <zsolt(dot)parragi(at)percona(dot)com> |
|---|---|
| To: | pgsql-hackers(at)lists(dot)postgresql(dot)org |
| Subject: | Re: [PATCH v3] Add ssl_cert_files/ssl_key_files for multi-certificate support |
| Date: | 2026-06-22 18:40:46 |
| Message-ID: | CAN4CZFNfBW6yXgEidqDnkvDFDbnnthtZSvpLkSV_XHjj-uh8=Q@mail.gmail.com |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
> When set, ssl_cert_files takes precedence over ssl_cert_file.
Are you sure? ssl_cert_files gets loaded after ssl_cert_file was
already, it seems additive to me. Shouldn't specifying both result in
an error instead?
> 2) TLS 1.3 HRR test — added a proper test that forces HelloRetryRequest
> by setting ssl_groups='secp384r1' on the server and connecting with
> -groups X25519:secp384r1. The ssl_update_ssl() fix (override=1
> always) is carried over from v2.
I don't see it? The string secp384r1 doesn't appear in the patch at all.
> LibreSSL fallback
> paths verified via #undef SSL_CERT_SET_FIRST build.
I think the fallback part needs at least a proper documentation /
description specifying what's the expected behavior. Currently if I
follow it correctly it serves the last loaded certificate, silently
ignoring others? I don't think that's a behavior I would expect from a
security-focused feature. But note that I did not try to build the
patch with libressl and run tests with it yet.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Zsolt Parragi | 2026-06-22 18:51:36 | Re: More jsonpath methods: translate, split, join |
| Previous Message | Vitaly Davydov | 2026-06-22 18:32:50 | Re: Deadlock detector fails to activate on a hot standby replica |