From bef8152b6f4ad2ed2ccd8158088a35b2cf625491 Mon Sep 17 00:00:00 2001 From: Peter Eisentraut Date: Thu, 25 Feb 2021 16:40:32 +0100 Subject: [PATCH v2] Set SNI for SSL connections from the client This allows an SNI-aware proxy to route connections. Discussion: https://www.postgresql.org/message-id/flat/7289d5eb-62a5-a732-c3b9-438cee2cb709%40enterprisedb.com --- src/interfaces/libpq/fe-secure-openssl.c | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 0fa10a23b4..889213c994 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -1076,6 +1076,26 @@ initialize_SSL(PGconn *conn) SSL_CTX_free(SSL_context); SSL_context = NULL; + /* + * Set Server Name Indication (SNI), but not if it's a literal IP address. + * (RFC 6066) + */ + if (!(strspn(conn->pghost, "0123456789.") == strlen(conn->pghost) || + strchr(conn->pghost, ':'))) + { + if (SSL_set_tlsext_host_name(conn->ssl, conn->pghost) != 1) + { + char *err = SSLerrmessage(ERR_get_error()); + + appendPQExpBuffer(&conn->errorMessage, + libpq_gettext("could not set SSL Server Name Indication (SNI): %s\n"), + err); + SSLerrfree(err); + SSL_CTX_free(SSL_context); + return -1; + } + } + /* * Read the SSL key. If a key is specified, treat it as an engine:key * combination if there is colon present - we don't support files with -- 2.30.1