Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <pgsql-hackers-owner+archive@lists.postgresql.org>)
	id 1vW1Yn-00AwSm-0r
	for pgsql-hackers@arkaria.postgresql.org;
	Thu, 18 Dec 2025 00:08:02 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.96)
	(envelope-from <pgsql-hackers-owner+archive@lists.postgresql.org>)
	id 1vW1Ym-00H5lB-00
	for pgsql-hackers@arkaria.postgresql.org;
	Thu, 18 Dec 2025 00:08:00 +0000
Received: from makus.postgresql.org ([2001:4800:3e1:1::229])
	by malur.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <daniel@yesql.se>)
	id 1vW1Yl-00H5l3-1r
	for pgsql-hackers@lists.postgresql.org;
	Thu, 18 Dec 2025 00:08:00 +0000
Received: from smtp.outgoing.loopia.se ([93.188.3.37])
	by makus.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <daniel@yesql.se>)
	id 1vW1Yj-001Em7-0n
	for pgsql-hackers@lists.postgresql.org;
	Thu, 18 Dec 2025 00:07:59 +0000
Received: from s807.loopia.se (localhost [127.0.0.1])
	by s807.loopia.se (Postfix) with ESMTP id 5835E50AC2B
	for <pgsql-hackers@lists.postgresql.org>;
 Thu, 18 Dec 2025 01:07:53 +0100 (CET)
Received: from s899.loopia.se (unknown [172.22.191.6])
	by s807.loopia.se (Postfix) with ESMTP id 487CC50AF59;
	Thu, 18 Dec 2025 01:07:53 +0100 (CET)
Received: from s473.loopia.se (unknown [172.22.191.6])
	by s899.loopia.se (Postfix) with ESMTP id 43EB12C8B90B;
	Thu, 18 Dec 2025 01:07:53 +0100 (CET)
X-Virus-Scanned: amavisd-new at amavis.loopia.se
X-Spam-Flag: NO
X-Spam-Score: -1.2
X-Spam-Level: 
X-Spam-Status: No, score=-1.2 tagged_above=-999 required=6.2
 tests=[ALL_TRUSTED=-1, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
 DKIM_VALID_EF=-0.1] autolearn=disabled
Authentication-Results: s473.loopia.se (amavisd-new); dkim=pass (2048-bit key)
 header.d=yesql.se
Received: from s979.loopia.se ([172.22.191.5])
 by s473.loopia.se (s473.loopia.se [172.22.190.13]) (amavisd-new, port 10024)
 with LMTP id b0ruGmAYPXKf; Thu, 18 Dec 2025 01:07:52 +0100 (CET)
X-Loopia-Auth: user
X-Loopia-User: daniel@yesql.se
X-Loopia-Originating-IP: 89.255.232.236
Received: from smtpclient.apple (customer-89-255-232-236.stosn.net
 [89.255.232.236])
	(Authenticated sender: daniel@yesql.se)
	by s979.loopia.se (Postfix) with ESMTPSA id 9AF1110BC442;
	Thu, 18 Dec 2025 01:07:52 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yesql.se;
	s=loopiadkim1707475645; t=1766016472;
	bh=wSDsPOl9LHhh0/wJosxAFDwrIpc6a9Fv6jdbNOpUDN8=;
	h=Subject:From:In-Reply-To:Date:Cc:References:To;
	b=fc6I1YuhYTX0jAk/QoadCqjnrpSceL8jDV9VgE9rMA3t6a/piVUFYsU6dz4OmS3HV
	 o5CRm0xdxxEtKHfXlHJXVbAi3+cPcT6pB3i+wmYqBc+kW+cHngvsCbdrH4fjEBMSbe
	 ulS+UR6X//4Q0fZD1bHwg0mO1fWgORDiPdcZ+IH3EWR7riML+5+SxtunIj+y4opk4o
	 9APsGV+4B98hskzP76iVZUYt111Vemzag9k2vvPR8kflgUUC623qQCJJhiJLUzHcDE
	 NI6w7eOqc5S7rbRVr/jIR9JTJAkWZJf7Yf/6tmy0Y5kCV8L4GOjb7IlRbZA8H4ZvLd
	 KTOYmCTuTHRTw==
Content-Type: text/plain;
	charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3776.700.51.11.2\))
Subject: Re: Serverside SNI support in libpq
From: Daniel Gustafsson <daniel@yesql.se>
In-Reply-To: 
 <CAOYmi+mZ=i55iH44zPqidZfoNDLwPBMD=PUtD03LR2ut+zMEag@mail.gmail.com>
Date: Thu, 18 Dec 2025 01:07:41 +0100
Cc: Jelte Fennema-Nio <postgres@jeltef.nl>,
 Heikki Linnakangas <hlinnaka@iki.fi>,
 Dewei Dai <daidewei1970@163.com>,
 "li.evan.chao" <li.evan.chao@gmail.com>,
 Michael Paquier <michael@paquier.xyz>,
 Andres Freund <andres@anarazel.de>,
 Pgsql Hackers <pgsql-hackers@lists.postgresql.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <01412917-C42E-4238-97E2-707C32940DDD@yesql.se>
References: <88986722-5A72-4DEC-8750-BDBF67FF8C01@yesql.se>
 <7E77028B-5A3A-436B-9046-8E9992E9F94A@yesql.se>
 <Z1jeINLtB05YMVOY@paquier.xyz>
 <E51258CD-C7B2-4BB1-AB9C-A3DD2B6592D0@yesql.se>
 <F4222274-15C0-40E4-84FB-8FC1355BB8B2@yesql.se>
 <CAOYmi+mSrV8hRaQkvGDf1Df4cmpv5SeTbTxppyxeonMe6MW8nA@mail.gmail.com>
 <0BC5B9B1-6503-4563-AAC6-33DEF264AE3F@yesql.se>
 <aa7gx3mychf3m2g67mbslzbxjy3if4enpcflstoa5pol3432x5@ugqz45gsvurq>
 <F585452A-1F69-4658-A7E8-D1273AC663ED@yesql.se>
 <aLT9xVsTVp0j3zWy@paquier.xyz>
 <80F4F8F4-8E4F-4B6F-866B-D837057C1192@yesql.se>
 <D9F6F14D-FCB1-48B5-9CBC-AE89FA0AEF4C@yesql.se>
 <CAOYmi+m2Ks7D4obtXay3y-UNn6CkTNrmr_zWC25vKTdesatafA@mail.gmail.com>
 <0C53C316-C24E-4307-807B-D825CA3F7254@yesql.se>
 <DD77A37A-BFCA-4819-A029-1A41E2443D8E@gmail.com>
 <378D83FA-338C-4EA1-BC60-397BE08D0F01@yesql.se>
 <2025112617144938459246@163.com>
 <0217DEFA-9684-4A77-A005-D30EBEF155C4@yesql.se>
 <afb479af-2fe7-4790-ad11-437a326329b5@iki.fi>
 <5D0E78E0-EA79-480E-ABD3-B1EF0156BF8B@yesql.se>
 <f621264b-26a6-4b7a-8982-3820b7d6d397@iki.fi>
 <CAGECzQTWH-bzHcdPo=i09TL_P6_HBBNEkBmr+rpN_J9zVfR2Fw@mail.gmail.com>
 <785C0B88-7068-4576-AF55-251D06CEC112@yesql.se>
 <CAOYmi+=u=vS1beiog6p5e843uVdout9qZY=pRj4vo=jCVwgGTA@mail.gmail.com>
 <FB2759EB-C8DB-49FA-800F-7010C65EB8DF@yesql.se>
 <CAOYmi+mZ=i55iH44zPqidZfoNDLwPBMD=PUtD03LR2ut+zMEag@mail.gmail.com>
To: Jacob Champion <jacob.champion@enterprisedb.com>
X-Mailer: Apple Mail (2.3776.700.51.11.2)
List-Id: <pgsql-hackers.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-hackers@lists.postgresql.org>
List-Owner: <mailto:pgsql-hackers-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-hackers>
Archived-At: 
 <https://www.postgresql.org/message-id/01412917-C42E-4238-97E2-707C32940DDD%40yesql.se>
Precedence: bulk

> On 18 Dec 2025, at 00:58, Jacob Champion =
<jacob.champion@enterprisedb.com> wrote:
>=20
> On Fri, Dec 12, 2025 at 3:41=E2=80=AFAM Daniel Gustafsson =
<daniel@yesql.se> wrote:
>>> The comment for HostsLine.ssl_ca, and the code that assigns it,
>>> implies to me that host->ssl_ca should never be NULL. Am I missing a
>>> case where it could be?
>>=20
>> The attached version allows ssl_ca to be omitted from the pg_host =
config to
>> match the ssl_ca GUC.
>=20
> Aha! I think ssl_ca should be moved into the "Optional fields" section
> of `struct HostsLine` now.

Ah, yes.

>> I'm still not sure why they pass for me locally with that error, but =
I've
>> updated to patch to match CI.
>=20
> There's one diff remaining from my old tests patch: the example.org
> line doesn't set ssl_ca, so I expect
>=20
>> -       expected_stderr =3D> qr/unknown ca/);
>> +       expected_stderr =3D> qr/client certificates can only be =
checked if a root certificate store is available/);
>=20
> because host_context->ssl_loaded_verify_locations should be false. But
> that doesn't happen... Why?

I'll have a look.

> Just checking my understanding: is the use case for no_sni primarily
> that you should be able to strictly refuse clients who say they're
> talking to someone else -- so you don't want a wildcard -- but you
> still want to gracefully handle clients who don't speak SNI at all?

Yeah, pretty much.

>> +           else if (strcmp(host->hostname, "no_sni") =3D=3D 0)
>> +               no_sni_context =3D host_context;
>=20
> Will anyone be mad at us for camping on the "no_sni" identifier? I
> know technically underscore isn't allowed in DNS hostnames, buuuut [1,
> 2]

Maybe, but I think that regardless of what we do someone will be mad.  =
The
other option would be to use another single character like '?' or =
something.
Not sure that will improve readability though.

>> +   /* Hostname */
>> +   field =3D list_head(tok_line->fields);
>> +   tokens =3D lfirst(field);
>> +   token =3D linitial(tokens);
>> +   parsedline->hostname =3D pstrdup(token->string);
>=20
> We should probably check tokens->length to make sure that the user
> hasn't passed more than one token for each field, similar to how
> parse_hba_line() does it.

Good point, will do that.

> Should we support multiple hostname tokens in a single line, though,
> and just copy the settings that follow across all of them?

I've been hesitant to add too much complexity, but perhaps just allowing =
a
comma separated list is a good middle ground to avoid going full regex?

--
Daniel Gustafsson