Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vQuOH-001vfu-0X for pgsql-hackers@arkaria.postgresql.org; Wed, 03 Dec 2025 21:28:02 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1vQuOF-00GVBh-2P for pgsql-hackers@arkaria.postgresql.org; Wed, 03 Dec 2025 21:28:00 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vQuOF-00GVBY-1H for pgsql-hackers@lists.postgresql.org; Wed, 03 Dec 2025 21:27:59 +0000 Received: from mail-lj1-x22e.google.com ([2a00:1450:4864:20::22e]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.96) (envelope-from ) id 1vQuOC-002zg9-2p for pgsql-hackers@lists.postgresql.org; Wed, 03 Dec 2025 21:27:58 +0000 Received: by mail-lj1-x22e.google.com with SMTP id 38308e7fff4ca-37e56b0712aso2269601fa.0 for ; Wed, 03 Dec 2025 13:27:57 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jeltef.nl; s=google; t=1764797275; x=1765402075; darn=lists.postgresql.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=3UcyzFInVbOMvbNn8zjhky1QGe+jIfN3lY5PyiDj9Ns=; b=lkdpQPyGsKf14vxy9ta9uKVNBWq3JPWTZmSCyUZ2pR2yDmka4r1bFEbVkSPZUrGVIW 1gqBtSBsR9IsWL0R+VCZyAz59nUT6WDUgIMW8nMsxNoP7Adnu26cVJMTEX3TuRrRgXFl Yx5/A4i4cwTfqTMkxedBlAFLw/WCC46SXsqHcZ7karzciU1acsEKB1Vs35IcOsHuLTPf P/1th0dcXxxq7WEWuTebOLSU9pnep5G+tBQPNUVvx8vw1BaZDEDOkZK9klIlYgDYyrPm 4+rJXNQZfGJjTXCfIP0C8fW1cUQBtK5R3HHdQ6Ud3jjAKRt1QBsqcSkF4JJ1kLLtIHQc tN4Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764797275; x=1765402075; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=3UcyzFInVbOMvbNn8zjhky1QGe+jIfN3lY5PyiDj9Ns=; b=OtoPGm3z9Hlr0KJoL7LKY61OcOq+h2RB2ollxcURsEjiURjeQKKKDqH77lnlzdKToQ 1eVq5b/f7NqSZnrHu56Ea5wVgGiL90SiEiuDN5omUvV7FYyPAKNxfgAgsPQaipABS+4r TRwITwSDNLBz0/eXoABrhF6xvYHpZbcFh6astn4ROhMvLryUC5iQ2AlZGUqhw+PlVYBE 1A5J1UnUwErSwzB9gHFN6LnpkdTFw88OxKxZXL6spuo1tdqTrpIHYsKRYq29ai0j5ERA imeL+8UJEarDV9D1v/cXNfQFzklUU2AaFxvodxJ0jcRnCAFoK7iFQTc1KmmEM34Tm6vi b1FQ== X-Forwarded-Encrypted: i=1; AJvYcCXCEux7HHDqDg6p/tE3qCNNXLUdIWelk4iaUTRqGGX/lKmLPo86L8sh5qHI+FqOwuP/h0qLJB/AEvhbw/ZN@lists.postgresql.org X-Gm-Message-State: AOJu0YxTWC7PRZ29cwTeNim9DMZZlSQH58CUMq0u/u8oVUqT+UNnO+1z OcVUjpr+rPLR8ks30a1pKmK6CUwsYiJ4xbqT2CC6vubi18QcUJqfXsTqMYSRQQR8enzT51D7dUC Hkn1fFGbF1j7fVa3vfQSjEBObUBNMDFsLI8vvigl6ag== X-Gm-Gg: ASbGnctmx/umNPKlYlY6UgYYB5m5TVIbgne9n0n7QFEPOtWJ051LhelzK95c5TLSpY2 a4AwyAsTlUoNewZM/uMC0xfbDMX8zqn8z2Tbyc1VeQhgSNLFjkTEP6Qnlh+furiUR0dj8fAsH3K nPTNYIFnzXBijPCeMZNM0UunyVgIQ6c1jRKyp8WULk8Qqpe0ICqq2IRYRRa9tA3T2H5zvcL6Huh aJQ6VyR0z9HyXjOAAgBTf4jKmxorw== X-Google-Smtp-Source: AGHT+IF94cyPFQ+iXRri3FncdL9ncce3bsO76kFPuFvItqBKf5efEG6jH39BBojheCxC6L+FPPekmKUiIZl5KeEImuA= X-Received: by 2002:a05:6512:4028:b0:595:9195:3390 with SMTP id 2adb3069b0e04-597d3f025e9mr1535852e87.5.1764797274712; Wed, 03 Dec 2025 13:27:54 -0800 (PST) MIME-Version: 1.0 References: <88986722-5A72-4DEC-8750-BDBF67FF8C01@yesql.se> <7E77028B-5A3A-436B-9046-8E9992E9F94A@yesql.se> <0BC5B9B1-6503-4563-AAC6-33DEF264AE3F@yesql.se> <80F4F8F4-8E4F-4B6F-866B-D837057C1192@yesql.se> <0C53C316-C24E-4307-807B-D825CA3F7254@yesql.se> <378D83FA-338C-4EA1-BC60-397BE08D0F01@yesql.se> <2025112617144938459246@163.com> <0217DEFA-9684-4A77-A005-D30EBEF155C4@yesql.se> <5D0E78E0-EA79-480E-ABD3-B1EF0156BF8B@yesql.se> In-Reply-To: From: Jelte Fennema-Nio Date: Wed, 3 Dec 2025 22:27:43 +0100 X-Gm-Features: AWmQ_bkRxrvwKYFrUnFyOtf8GMnq5q6Egmjap0PSyjtzI3UzAEJD-o9QVG_s5B8 Message-ID: Subject: Re: Serverside SNI support in libpq To: Heikki Linnakangas Cc: Daniel Gustafsson , Dewei Dai , "li.evan.chao" , Jacob Champion , Michael Paquier , Andres Freund , Pgsql Hackers Content-Type: text/plain; charset="UTF-8" List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On Wed, 3 Dec 2025 at 17:57, Heikki Linnakangas wrote: > > I really want to make it possible for anyone who don't want SNI to keep using > > postgresql.conf and get the exact behavior they've always had. Do you agree > > with that design goal? > > Yeah, that's fair. What if we make it so that if a pg_hosts.conf file exists, then the ssl_cert_file/ssl_key_file configs are ignored? And by default initdb would not create a file (or it would, but with the same default settings that we have now). Then we don't need the new GUC. Basically it would be: 1. If the file does not exist, use the "off" behaviour 2. If the file exists, use the "strict" behaviour