Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vQwGX-002WZB-2s for pgsql-hackers@arkaria.postgresql.org; Wed, 03 Dec 2025 23:28:10 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1vQwGW-00H1wG-35 for pgsql-hackers@arkaria.postgresql.org; Wed, 03 Dec 2025 23:28:09 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vQwGW-00H1w8-1i for pgsql-hackers@lists.postgresql.org; Wed, 03 Dec 2025 23:28:08 +0000 Received: from smtp.outgoing.loopia.se ([93.188.3.37]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vQwGV-00306W-0F for pgsql-hackers@lists.postgresql.org; Wed, 03 Dec 2025 23:28:08 +0000 Received: from s807.loopia.se (localhost [127.0.0.1]) by s807.loopia.se (Postfix) with ESMTP id 0FE564DF83E for ; Thu, 04 Dec 2025 00:28:05 +0100 (CET) Received: from s980.loopia.se (unknown [172.22.191.5]) by s807.loopia.se (Postfix) with ESMTP id E82304DF55B; Thu, 04 Dec 2025 00:28:04 +0100 (CET) Received: from localhost (unknown [172.22.191.6]) by s980.loopia.se (Postfix) with ESMTP id E34B82201638; Thu, 04 Dec 2025 00:28:04 +0100 (CET) X-Virus-Scanned: amavis at amavis.loopia.se X-Spam-Flag: NO X-Spam-Score: -1.2 X-Spam-Level: X-Spam-Status: No, score=-1.2 tagged_above=-999 required=6.2 tests=[ALL_TRUSTED=-1, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1] autolearn=disabled Authentication-Results: s898.loopia.se (amavis); dkim=pass (2048-bit key) header.d=yesql.se Received: from s979.loopia.se ([172.22.191.6]) by localhost (s898.loopia.se [172.22.190.17]) (amavis, port 10024) with LMTP id dJAP6ikqjtap; Thu, 4 Dec 2025 00:28:04 +0100 (CET) X-Loopia-Auth: user X-Loopia-User: daniel@yesql.se X-Loopia-Originating-IP: 89.255.232.236 Received: from smtpclient.apple (customer-89-255-232-236.stosn.net [89.255.232.236]) (Authenticated sender: daniel@yesql.se) by s979.loopia.se (Postfix) with ESMTPSA id 057D410BC35A; Thu, 04 Dec 2025 00:28:03 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yesql.se; s=loopiadkim1707475645; t=1764804484; bh=QdA51yW9lcbvv2AeWKv6tPrsu7cBVVrf1CEmORyDF5c=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=ulWrTf2m3AANFb/2Xd20vvwFgC7Uf/TICv9zCqUmLfIY/8O7Zeo7/vY7ooq7HzWqJ SsCzReC5wCUURoEOp2mBg04hUuTIqUiD/QXpzesY+fQlv72VuEh09mdL0Ikt4uU8L1 /pU1avuQmRZpxjmmBvAB6T/8dDev0yNJ+z9cwhu1oeeU0QqaQgion+zP4fVUian2Xg xIBsbz+yD5mDa0T3aUGRNimV8Acn7jkTZeBDmdX5KszTrhgEmqhepaAj/9reXYi9ih ebrw5tXj61k06BAUX8+RuD/8C7ga7TN+IDwxuNgrp0rrHiaTPfRZriuMqf6pjv8MCL pTUXKEEiKu9WA== Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3776.700.51.11.2\)) Subject: Re: Serverside SNI support in libpq From: Daniel Gustafsson In-Reply-To: Date: Thu, 4 Dec 2025 00:27:53 +0100 Cc: Heikki Linnakangas , Dewei Dai , "li.evan.chao" , Jacob Champion , Michael Paquier , Andres Freund , Pgsql Hackers Content-Transfer-Encoding: quoted-printable Message-Id: <785C0B88-7068-4576-AF55-251D06CEC112@yesql.se> References: <88986722-5A72-4DEC-8750-BDBF67FF8C01@yesql.se> <7E77028B-5A3A-436B-9046-8E9992E9F94A@yesql.se> <0BC5B9B1-6503-4563-AAC6-33DEF264AE3F@yesql.se> <80F4F8F4-8E4F-4B6F-866B-D837057C1192@yesql.se> <0C53C316-C24E-4307-807B-D825CA3F7254@yesql.se> <378D83FA-338C-4EA1-BC60-397BE08D0F01@yesql.se> <2025112617144938459246@163.com> <0217DEFA-9684-4A77-A005-D30EBEF155C4@yesql.se> <5D0E78E0-EA79-480E-ABD3-B1EF0156BF8B@yesql.se> To: Jelte Fennema-Nio X-Mailer: Apple Mail (2.3776.700.51.11.2) List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk > On 3 Dec 2025, at 22:27, Jelte Fennema-Nio wrote: >=20 > On Wed, 3 Dec 2025 at 17:57, Heikki Linnakangas = wrote: >>> I really want to make it possible for anyone who don't want SNI to = keep using >>> postgresql.conf and get the exact behavior they've always had. Do = you agree >>> with that design goal? >>=20 >> Yeah, that's fair. >=20 > What if we make it so that if a pg_hosts.conf file exists, then the > ssl_cert_file/ssl_key_file configs are ignored? And by default initdb > would not create a file (or it would, but with the same default > settings that we have now). Maybe. I'm not a big fan of magic-file-exist configurations but.. I'm = trying out a few different options to see which seems the most reasonable, and = this is for one of them. > Basically it would be: > 1. If the file does not exist, use the "off" behaviour > 2. If the file exists, use the "strict" behaviour It will really be "strict" *or* "default" based on whether or not '*' is = set as a wildcard hostname (which can be argued is just a version of strict). -- Daniel Gustafsson