Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1w19oa-0002mi-2I for pgsql-hackers@arkaria.postgresql.org; Fri, 13 Mar 2026 21:13:01 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1w19oZ-000CYy-2Q for pgsql-hackers@arkaria.postgresql.org; Fri, 13 Mar 2026 21:13:00 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1w19oZ-000CYo-1C for pgsql-hackers@lists.postgresql.org; Fri, 13 Mar 2026 21:13:00 +0000 Received: from mail-yw1-x112c.google.com ([2607:f8b0:4864:20::112c]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.98.2) (envelope-from ) id 1w19oW-000000001jk-1g88 for pgsql-hackers@lists.postgresql.org; Fri, 13 Mar 2026 21:12:59 +0000 Received: by mail-yw1-x112c.google.com with SMTP id 00721157ae682-79628fb5c05so22229037b3.2 for ; Fri, 13 Mar 2026 14:12:56 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1773436375; cv=none; d=google.com; s=arc-20240605; b=aMy9qVlWST/GvVwn2W6SDMMsfwX6yU1qEfjs0wyQeyLfWXnB/3FZFKkI/PXtbC1kB7 JpsKW0PdFgGUkh+iChupkSxGxvUvstFmB3kSlbCfz/4aFSwGb9osocJM0EGbE9AfO0+i 7XCFuatrrVL/G3YT45nq4N3c8j00b75IP3uDkT4B7YcF0le5HTlw9ptd8M991f3v8FEA DUzB0lnHJoVdGonNWwVosIEu3qn5/FXhpZgs/PHH04OsRVjo8ngrxr5ilk4BrcBjmAoa /mrm5zgWAV9a+QVThArKwrR6QuviR7W2ZJOsFYbtdtYS9CRxz8DxFrmroXDwXIJxOTaj quiA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature; bh=2KBNG8EOF9jBst3hHM3N6wBz7Omn1pIBw5S2vhtDv7I=; fh=0cVoeavGIqBg8av9Krqa/iOQeCuuZmwGIdOXI4TWH6k=; b=ZvpQm70qA8zpYQx3JBZEtoX42KH4MelW2RnSTYecIDbIWkAjtI2/bxdfxAl/ZRZPcU Hj4yLKneR/SHV7wQl9mhl46e/4ebjZJkbCMu08J02WjdQHl9SjqxeH5AxGHTRr3yKo+K P3w2AshtqKIhCfSgKinU4uey3uxMOKrPLYJcrplNiXzcYwDGaNjgEPrpkFXt6m6kj96P sG+wK3R75+VgiacNvE+xzgpiAn+gBWqSiaRtFgieM721G0NMLGj3PVThuaKfcs4Qzd6L Z7oC2yBV9PWQmAqG3/tPqiXWuLgsmX1tvdZHsL7nHH2jLobd7BeFqnMNtfnBBBK+kVgZ dVrg==; darn=lists.postgresql.org ARC-Authentication-Results: i=1; mx.google.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=percona.com; s=google; t=1773436375; x=1774041175; darn=lists.postgresql.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=2KBNG8EOF9jBst3hHM3N6wBz7Omn1pIBw5S2vhtDv7I=; b=UpvO4ZG8ZQuZgyYaY48aHVu3n0Sddjx3meH2WlXn6akV9e76fVDr7DkzwZIHiU3SrQ A5pXgJyK8lOBC914RyuIhwhJFbcaBWA+i65n8P7DUip7sV2qk3aPKheQPgfEROKH3xBh Ex9BmtfD1MUgnZjGHZYB010dunU48M22dh94M= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1773436375; x=1774041175; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=2KBNG8EOF9jBst3hHM3N6wBz7Omn1pIBw5S2vhtDv7I=; b=g7AQtelRWKA1cbhPKuROZo9kFqLQnttfAllrc/6wjnUnltf1AGtB9PBmrdejwIYxLz VuNc5sC9bjWirdj17zAYjB539fHQGzbQJfOgeLmBkuvfC2tNMZmSwJD2miagNiramBFe /QAbZcjfmqVd2ODWH61Y70eEhQ8lYPNIQpHzyWGQU1W/HA7km9oUQWY+kjfGceuub3GU vW8/mLG0Mpni6b2s9nkZnYhP3Qm8tvjsJRaI4z1wZdMBqvYyqbH+sSoD1DTaGWYGU8n7 BfQgYhgnixcbY5QlJvDLhUH/yGqM38hnsSATqYTamWp0xq5Sdq2SzgkXFjd2wlQgGoeS TE/w== X-Forwarded-Encrypted: i=1; AJvYcCXReh7M+5tXnWTk7ScbQ0CV4BxsoN6oLpri8V3L/JY6y5veSGUiFXsqtnM2QVzpvf1Pqwj7EjEBT0dDUiiw@lists.postgresql.org X-Gm-Message-State: AOJu0YyH/I7psGxOIKJtLZ/HCXy6thJctN7XrpEo4OwfOL/9nCvugxwf kqIAtKI45lF8sC+nFKsNyZmvF2cI48HZKk8LVE+1BQ8Le/WLs18Qt3EYsiP/zGihNTgxrTlibMx VFG8vFdHVIUhqXKpeYBVMBGJy2pMjEB0o7RsuYPtqKIwr1gKQI/3SgIrdVm1BLmHo+BghnthNw8 UdScIwZKJFGT85s+7g9UDkGYifeGPU/7PvOOQMyVQe4WEpYZddd/B/nQU+EkSQ2mRr2BFLfjJvy +UFvspJ1oZw3xnQvmwTqTSkPSQmXClcrRuiYisgK0mTLx5qi0WvcccKIR//n8AIV/4= X-Gm-Gg: ATEYQzwWrRwPV0lNMJdKtQhSgy01cMpA8FrfFiXkdGZsCMcc+Mks7cHF05FF2acVlfH AsPR9ORJO5dZQBT0Qx1EycVcdAyfqG4d5t7Aj3lnfm1v6GIB9P8ckjLzzKpOhpdunu3t3jqruyF MNn+ySQV1N7J9rZCo7kqbz+q048Yi8GoWqZhp9JgqEQv45gBGe+FniMIyTlapnPyG/vk7cxlyV4 bz+/tNZH1f3OHKGR2ZZqEIkilUM/L/UBjHlqafJbBz/hwcAFmbnk/HC3Y4lUnXqqlBjP+qZudpQ xnTn3P7UHjVblPNVwuQh+u4d8gMglz17xZzImvUNnW0zuRy6BT9y1HooETzl3B0BJdMO X-Received: by 2002:a05:690c:e3cd:b0:79a:2312:5292 with SMTP id 00721157ae682-79a23127303mr33635847b3.20.1773436374599; Fri, 13 Mar 2026 14:12:54 -0700 (PDT) MIME-Version: 1.0 References: <88986722-5A72-4DEC-8750-BDBF67FF8C01@yesql.se> <7E77028B-5A3A-436B-9046-8E9992E9F94A@yesql.se> <0BC5B9B1-6503-4563-AAC6-33DEF264AE3F@yesql.se> <80F4F8F4-8E4F-4B6F-866B-D837057C1192@yesql.se> <0C53C316-C24E-4307-807B-D825CA3F7254@yesql.se> <378D83FA-338C-4EA1-BC60-397BE08D0F01@yesql.se> <2025112617144938459246@163.com> <0217DEFA-9684-4A77-A005-D30EBEF155C4@yesql.se> <5D0E78E0-EA79-480E-ABD3-B1EF0156BF8B@yesql.se> <785C0B88-7068-4576-AF55-251D06CEC112@yesql.se> <01412917-C42E-4238-97E2-707C32940DDD@yesql.se> In-Reply-To: From: Zsolt Parragi Date: Fri, 13 Mar 2026 21:12:43 +0000 X-Gm-Features: AaiRm50bviH0e7uv7aC_j5Lk1Jslos_-4LK0uRVWKOSJ2B8GCsWpySNF32wenJg Message-ID: Subject: Re: Serverside SNI support in libpq To: Daniel Gustafsson Cc: Jacob Champion , Jelte Fennema-Nio , Heikki Linnakangas , Dewei Dai , "li.evan.chao" , Michael Paquier , Andres Freund , Pgsql Hackers Content-Type: text/plain; charset="UTF-8" X-CLOUD-SEC-AV-Sent: true X-CLOUD-SEC-AV-Info: percona,google_mail,monitor X-Gm-Spam: 0 X-Gm-Phishy: 0 List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk Hello Originally I started looking at this thread because Jacob mentioned it relates to the custom OAuth / HBA variable question[1]. While I do see the relation, I don't have many practical ideas. I was thinking about suggesting using a "key=value, key=value ..." file style instead of the fixed table, both for easier later generalization, and because it aligns better to modern configuration formats (and personally I always find these columnar config files harder to read) However, it would also differ from other existing postgres config files and wouldn't offer a clear initial advantage, so it doesn't seem like a good practical choice. I'm still mentioning this for completeness, but mostly I'll focus on a more practical review: + check_nook => 'check_ssl_sni', This seems to be a typo? + if (SSL_client_hello_get0_ext(ssl, TLSEXT_TYPE_server_name, &tlsext, &left)) + { + if (left <= 2) + { + *al = SSL_AD_MISSING_EXTENSION; + return 0; + } ... and later error returns in this if block seem to use the wrong error code to me: truncated length, length mismatch, empty list, length exceeding remaining data... missing_extension: Sent by endpoints that receive a handshake message not containing an extension that is mandatory to send for the offered TLS version or other negotiated parameters. decode_error: A message could not be decoded because some field was out of the specified range or the length of the message was incorrect. This alert is used for errors where the message does not conform to the formal protocol syntax. This alert should never be observed in communication between proper implementations, except when messages were corrupted in the network. Since we are already inside the if which verifies that the extension is present, shouldn't all of these report decode_error? + if (!ssl_update_ssl(ssl, install_config)) + { + ereport(COMMERROR, + errcode(ERRCODE_PROTOCOL_VIOLATION), + errmsg("failed to switch to SSL configuration for host, terminating connection")); + return SSL_CLIENT_HELLO_ERROR; + } Isn't there a missing *al = assignment here? + /* + * There should be no more tokens after this, if there are break + * parsing and report error to avoid silently accepting incorrect + * config. + */ + if (tokens->length > 1) + { + ereport(elevel, + errcode(ERRCODE_CONFIG_FILE_ERROR), + errmsg("extra fields at end of line"), + errcontext("line %d of configuration file \"%s\"", + tok_line->line_num, tok_line->file_name)); + return NULL; + } The comment suggests that this aims to prevent any additional text on the line, but this parses: localhost server.crt server.key server.crt "cmd" on TRAILING_TEXT MORE_TEXT + /* SSL Passphrase Command (optional) */ + field = lnext(tok_line->fields, field); + if (field) + { + tokens = lfirst(field); + token = linitial(tokens); Isn't a length > 1 error check missing from here? [1]: https://www.postgresql.org/message-id/CAN4CZFM3b8u5uNNNsY6XCya257u%2BDofms3su9f11iMCxvCacag%40mail.gmail.com