Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <pgsql-hackers-owner+archive@lists.postgresql.org>)
	id 1vWIc9-00GijV-1d
	for pgsql-hackers@arkaria.postgresql.org;
	Thu, 18 Dec 2025 18:20:38 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.96)
	(envelope-from <pgsql-hackers-owner+archive@lists.postgresql.org>)
	id 1vWIc8-003MxF-1M
	for pgsql-hackers@arkaria.postgresql.org;
	Thu, 18 Dec 2025 18:20:37 +0000
Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29])
	by malur.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <jacob.champion@enterprisedb.com>)
	id 1vWIc8-003Mx6-0J
	for pgsql-hackers@lists.postgresql.org;
	Thu, 18 Dec 2025 18:20:36 +0000
Received: from mail-qk1-x735.google.com ([2607:f8b0:4864:20::735])
	by magus.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
	(Exim 4.96)
	(envelope-from <jacob.champion@enterprisedb.com>)
	id 1vWIc5-001SNF-2n
	for pgsql-hackers@lists.postgresql.org;
	Thu, 18 Dec 2025 18:20:35 +0000
Received: by mail-qk1-x735.google.com with SMTP id
 af79cd13be357-8b2148ca40eso133348085a.1
        for <pgsql-hackers@lists.postgresql.org>;
 Thu, 18 Dec 2025 10:20:33 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=enterprisedb.com; s=google; t=1766082032; x=1766686832;
 darn=lists.postgresql.org;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:from:to:cc:subject:date
         :message-id:reply-to;
        bh=8qHn/BClfHwNVZVJgslNk9A2pq2pBeEeZBoA61NsKY4=;
        b=g/aauhnFB+OwDryOdO3aJzsxzq78SXVf0i5Ad9klyuo2CM3RCvWRr3m7l8j22K2qYN
         XRK78xWqHoY9dx2Nr/0O9b2nIFIwORy73IQM7IFTMoP0MDXrqtyBTOWEdlw0s/Q5CSg0
         h9AJ4F74eorR6TCANmvHiwZAEUB0KzkyQ6tvk1l4EtVXYeYHfHvRjcgiRuIGxYUvQWtl
         5nriLj/pPV6Mt9bkx6F798+wAVmi+81SpYjXlid8XdXvtZMJEVN+sWpCZj23lIWyB63O
         ZIbyHEVBen8/KTVAezKZFjH3cpBwQgM+vEkUhglg8XNVGQutqMIASJ10Fotm95hcsrJs
         BljQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1766082032; x=1766686832;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=8qHn/BClfHwNVZVJgslNk9A2pq2pBeEeZBoA61NsKY4=;
        b=nMBB3fuX3yP1ztsXdrNH8aYBJkxApbY2R9oRs/1iZtJVSWm598HRP/c0fN5BT84+s7
         GUlu2sKBnbQAxPlWpNC90FIsZemphs0H06TmDdzdkiEffSBen7Lr1ap08D5wPfKssWE4
         mGuYLs25HO0hrkSTwM6OdU9rpEg4RMzJ5AgVhLeZtaqPf0HmHIHxnjjeZ1nFv27gp95E
         LrIeyoTvn+QpJioIFtlnO814ZBZq0Hn9YtKYa3V5Vt0ae+EG+gS77u48O71cCIsfOyhA
         DljY02OxnDnSkKZUxe5h/1JPlQSg/bptd1GYKH3ShvJxKfCQ9Hj+uz31CxgRe5xOUHM/
         Fotw==
X-Forwarded-Encrypted: i=1;
 AJvYcCVUnYANIicdQmCItCtij+P8Bx7cvEN6FuZ42i8s35bU9tlpUyo9UrtqDjDOl/JirHPzfRZcmwYDt0z2Ht5D@lists.postgresql.org
X-Gm-Message-State: AOJu0YzMfTRPsCRXmRTDgK9EgcvolDfDvnYD42Eq4fxgWcieI9/2UXfx
	HT8J4Aqg0xOb3ajadmuvmzR/NsP5BohYzYuakBJsaQ9r3B1/wLDHeRYsRcnZ5K1BZF/S33xQkX3
	L4ZsjHJBfWrICysx1WErkfhifwIr7jOoX+G7Gqr8f
X-Gm-Gg: AY/fxX5uRJxjQssi6q9KP+gmd0YA4zyVAGyGrOZBdcY2l/uJK05NPVrheDc+F/CRAkS
	73a5rwPCMvL+UYVHcfRa06MNTf/W//IrHC2I9RTWozk4b0FuTUnqV729COKqIXcygx345i+Js81
	Z4C6Ns5RzMogSXz61h7OwEH77vhZs1h3JQZAj7rOO1NLY7k65SGJQoiTyNZvQtLyFqZ1Ga3lcL8
	6Lp0lQGAKF6l1wY/2Ky1CUtFGL2RhByZSxpm694KxkVbW5LoOo4Pmp7JcfjC/YGRZzaD/YucA==
X-Google-Smtp-Source: 
 AGHT+IG4oifGqgo+JSeqrohi/2xfJfsa7h3Hl5iTX+oHTKSkGOwdw8fJ4vOkf4x8VaVzT7yi3Vb8R+VhDNMIo7NoqOM=
X-Received: by 2002:a05:620a:470e:b0:8b2:d256:d064 with SMTP id
 af79cd13be357-8c08fc01485mr84152985a.41.1766082032049; Thu, 18 Dec 2025
 10:20:32 -0800 (PST)
MIME-Version: 1.0
References: <88986722-5A72-4DEC-8750-BDBF67FF8C01@yesql.se>
 <7E77028B-5A3A-436B-9046-8E9992E9F94A@yesql.se>
 <Z1jeINLtB05YMVOY@paquier.xyz>
 <E51258CD-C7B2-4BB1-AB9C-A3DD2B6592D0@yesql.se>
 <F4222274-15C0-40E4-84FB-8FC1355BB8B2@yesql.se>
 <CAOYmi+mSrV8hRaQkvGDf1Df4cmpv5SeTbTxppyxeonMe6MW8nA@mail.gmail.com>
 <0BC5B9B1-6503-4563-AAC6-33DEF264AE3F@yesql.se>
 <aa7gx3mychf3m2g67mbslzbxjy3if4enpcflstoa5pol3432x5@ugqz45gsvurq>
 <F585452A-1F69-4658-A7E8-D1273AC663ED@yesql.se>
 <aLT9xVsTVp0j3zWy@paquier.xyz>
 <80F4F8F4-8E4F-4B6F-866B-D837057C1192@yesql.se>
 <D9F6F14D-FCB1-48B5-9CBC-AE89FA0AEF4C@yesql.se>
 <CAOYmi+m2Ks7D4obtXay3y-UNn6CkTNrmr_zWC25vKTdesatafA@mail.gmail.com>
 <0C53C316-C24E-4307-807B-D825CA3F7254@yesql.se>
 <DD77A37A-BFCA-4819-A029-1A41E2443D8E@gmail.com>
 <378D83FA-338C-4EA1-BC60-397BE08D0F01@yesql.se>
 <2025112617144938459246@163.com>
 <0217DEFA-9684-4A77-A005-D30EBEF155C4@yesql.se>
 <afb479af-2fe7-4790-ad11-437a326329b5@iki.fi>
 <5D0E78E0-EA79-480E-ABD3-B1EF0156BF8B@yesql.se>
 <f621264b-26a6-4b7a-8982-3820b7d6d397@iki.fi>
 <CAGECzQTWH-bzHcdPo=i09TL_P6_HBBNEkBmr+rpN_J9zVfR2Fw@mail.gmail.com>
 <785C0B88-7068-4576-AF55-251D06CEC112@yesql.se>
 <CAOYmi+=u=vS1beiog6p5e843uVdout9qZY=pRj4vo=jCVwgGTA@mail.gmail.com>
 <FB2759EB-C8DB-49FA-800F-7010C65EB8DF@yesql.se>
 <CAOYmi+mZ=i55iH44zPqidZfoNDLwPBMD=PUtD03LR2ut+zMEag@mail.gmail.com>
 <01412917-C42E-4238-97E2-707C32940DDD@yesql.se>
 <CAOYmi+m05X5fRaeV7w3y4VOePnJJQrihK9A_6ma3e5Pesa5mXA@mail.gmail.com>
In-Reply-To: 
 <CAOYmi+m05X5fRaeV7w3y4VOePnJJQrihK9A_6ma3e5Pesa5mXA@mail.gmail.com>
From: Jacob Champion <jacob.champion@enterprisedb.com>
Date: Thu, 18 Dec 2025 10:20:21 -0800
X-Gm-Features: AQt7F2q7AcYi4OiGQ6lkk5RJCqpNAKDecmiyQmlI0qsP7CjoQC85htxovv5jJDg
Message-ID: 
 <CAOYmi+=D6xkfOZVAGkkvskHs3_VXwupRhzb8hXkS=cPrXcDbKg@mail.gmail.com>
Subject: Re: Serverside SNI support in libpq
To: Daniel Gustafsson <daniel@yesql.se>
Cc: Jelte Fennema-Nio <postgres@jeltef.nl>,
 Heikki Linnakangas <hlinnaka@iki.fi>,
	Dewei Dai <daidewei1970@163.com>, "li.evan.chao" <li.evan.chao@gmail.com>,
	Michael Paquier <michael@paquier.xyz>, Andres Freund <andres@anarazel.de>,
	Pgsql Hackers <pgsql-hackers@lists.postgresql.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
List-Id: <pgsql-hackers.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-hackers@lists.postgresql.org>
List-Owner: <mailto:pgsql-hackers-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-hackers>
Archived-At: 
 <https://www.postgresql.org/message-id/CAOYmi%2B%3DD6xkfOZVAGkkvskHs3_VXwupRhzb8hXkS%3DcPrXcDbKg%40mail.gmail.com>
Precedence: bulk

On Thu, Dec 18, 2025 at 9:06=E2=80=AFAM Jacob Champion
<jacob.champion@enterprisedb.com> wrote:
> A nice-to-have v2ish feature might be to warn if the host configured
> for a certificate cannot in fact match that certificate according to
> OpenSSL.

Another wishlist item: the logs (both server- and client-side) are
pretty inscrutable when things fail right now. Server's relatively
easy to change, but I wonder if we can do something along the lines of
0b5d1fb36 to provide an extra hint on the client side?

--Jacob