| From: | Jacob Champion <jacob(dot)champion(at)enterprisedb(dot)com> |
|---|---|
| To: | Daniel Gustafsson <daniel(at)yesql(dot)se> |
| Cc: | Jelte Fennema-Nio <postgres(at)jeltef(dot)nl>, Heikki Linnakangas <hlinnaka(at)iki(dot)fi>, Dewei Dai <daidewei1970(at)163(dot)com>, "li(dot)evan(dot)chao" <li(dot)evan(dot)chao(at)gmail(dot)com>, Michael Paquier <michael(at)paquier(dot)xyz>, Andres Freund <andres(at)anarazel(dot)de>, Pgsql Hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: Serverside SNI support in libpq |
| Date: | 2025-12-11 17:47:28 |
| Message-ID: | CAOYmi+=u=vS1beiog6p5e843uVdout9qZY=pRj4vo=jCVwgGTA@mail.gmail.com |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Hi!
On Mon, Nov 24, 2025 at 6:53 AM Daniel Gustafsson <daniel(at)yesql(dot)se> wrote:
> The attached incorporates your tests, fixes them to make them pass. The
> culprit seemed to be a combination of a bug in the code (the verify callback
> need to be defined in the default context even if there is no CA for it to be
> called in an SNI setting because OpenSSL), and that the tests were matching
> backend errors against frontend messages.
The new v12 tests still don't pass for me (they all use "certificate
verify failed", but the failure modes should be different).
> + if (host->ssl_ca && host->ssl_ca[0] != '\0')
The comment for HostsLine.ssl_ca, and the code that assigns it,
implies to me that host->ssl_ca should never be NULL. Am I missing a
case where it could be?
On Wed, Dec 3, 2025 at 1:57 AM Heikki Linnakangas <hlinnaka(at)iki(dot)fi> wrote:
> I propose that there is no GUC. In 'pg_hosts.conf', you can specify a
> wildcard '*' host that matches anything. You can also specify a "no sni"
> line which matches connections with no SNI specified. (Or something
> along those lines, I didn't think too hard about all the interactions).
That seems to position SNI as a feature that every DBA should have to
think about by default. ("learn this file. you can't turn it off.") Is
it, yet?
Web servers enable SNI implicitly because name-based hosting is a
top-level concept for users over there (hostnames are baked into the
application layer). I would argue that we don't have that here. Maybe
in the future someone will ask for that, but at that point don't you
want a very different, name-based, config system?
On Wed, Dec 3, 2025 at 3:28 PM Daniel Gustafsson <daniel(at)yesql(dot)se> wrote:
> > On 3 Dec 2025, at 22:27, Jelte Fennema-Nio <postgres(at)jeltef(dot)nl> wrote:
> > What if we make it so that if a pg_hosts.conf file exists, then the
> > ssl_cert_file/ssl_key_file configs are ignored? And by default initdb
> > would not create a file (or it would, but with the same default
> > settings that we have now).
>
> Maybe. I'm not a big fan of magic-file-exist configurations
Me neither. (I especially don't like the idea of ignoring a
certificate+key setting that a user has taken the time to put into a
config.)
Thanks,
--Jacob
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Andres Freund | 2025-12-11 17:49:21 | Re: [PATCH] Fix severe performance regression with gettext 0.20+ on Windows |
| Previous Message | Bryan Green | 2025-12-11 17:45:01 | Re: [PATCH] Fix severe performance regression with gettext 0.20+ on Windows |