Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <pgsql-hackers-owner+archive@lists.postgresql.org>)
	id 1sX2lw-0019ju-R3
	for pgsql-hackers@arkaria.postgresql.org; Thu, 25 Jul 2024 18:01:00 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.94.2)
	(envelope-from <pgsql-hackers-owner+archive@lists.postgresql.org>)
	id 1sX2lv-0007EI-6y
	for pgsql-hackers@arkaria.postgresql.org; Thu, 25 Jul 2024 18:00:59 +0000
Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29])
	by malur.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <jacob.champion@enterprisedb.com>)
	id 1sX2lu-0007EA-RY
	for pgsql-hackers@lists.postgresql.org; Thu, 25 Jul 2024 18:00:58 +0000
Received: from mail-lf1-x12b.google.com ([2a00:1450:4864:20::12b])
	by magus.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
	(Exim 4.94.2)
	(envelope-from <jacob.champion@enterprisedb.com>)
	id 1sX2lr-001R8M-VA
	for pgsql-hackers@lists.postgresql.org; Thu, 25 Jul 2024 18:00:57 +0000
Received: by mail-lf1-x12b.google.com with SMTP id 2adb3069b0e04-52efba36802so803791e87.2
        for <pgsql-hackers@lists.postgresql.org>; Thu, 25 Jul 2024 11:00:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=enterprisedb.com; s=google; t=1721930454; x=1722535254; darn=lists.postgresql.org;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:from:to:cc:subject:date
         :message-id:reply-to;
        bh=QNQpWEo8mCTmq4jQ3gaiJRgW5gtAOPAI3UA1d+faZmo=;
        b=kyGQQ8HoIEqQ9ORuzEMBSDkCRjhYLxKAQLnOkrX90YYCaY/n3M5uTBZNBRTtgcyQvX
         u3j18ihHVuc6ADmoQ2Ji7YX9d4YQP7YPYBGe/5Nq9Pa3eprYt8KaO8rddYCnWNhUuZC7
         +FqxPf9W2kJEyVTM84ALC1WUQK/jDbRma/IGiEFMJReJWQ3lSNogNTQzNxWHpUdY8b1g
         Yf19e83BnfRuzbtKf/FAGnQb6N5VcLKvBFnkbV9oie3YBCimCVC5uzGVso1QJsdZEX1J
         JhZZUWr0PZlgHjucVAmrxit2A8bP1yuJFeZnyPBMDuMcx937rwKhfdCigpKprjIpni2y
         IzGQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1721930454; x=1722535254;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=QNQpWEo8mCTmq4jQ3gaiJRgW5gtAOPAI3UA1d+faZmo=;
        b=A6/nPsDKPuYVS3ogCL6xqHzDKHhh0NSAaDYiT+IHd5wabvK5cu4yeSpvfSY+fOk9J/
         J6QgGGjFoIC8bYgn4IcGyOC16W6DLzYqKk8msgfFM1BSByDDwDnwnDavNokgQGhbl9/L
         /umUMhjjEcJ6T82xf58+pXrH8bjpzRb3uirlRtt5bXHqMHd5BqhiusPLVYWv/akxRspF
         s+F3FlllK+3K/pXsiMrQpV1vgj2e9SJEKPgcp550Z7LohULG00LyR3Hv/viv88k7m56/
         iAS3Zp0qSlkOSBUj/+X3Fm32ZDap9entKJ2erKQeuxlmQN3kRyQlRZ3HKWwso0oF6S3V
         ncrg==
X-Gm-Message-State: AOJu0YwreYzTZl3HmvtwprbC8IpoDyyXtAOU2KrwomRCQanvvh82B+m5
	MjCdhJg/Mbez4I+/4L8y2WzbyyaOw9x/bH6s70bgNkIqQcLujMVHoGDDjUUIRtpUBe9KNbgxLmU
	XDXji56AhT8zKyZO8HBn3JdK7OyZVzKVWqbNUQ3hrUYlzCXk=
X-Google-Smtp-Source: AGHT+IGgvqib7kPoEoGkmUUTDbqozMsC4i6nub78LBgBURIaUa2lKAvztzdUSV7vdsoYaQBsnw0kMWkWFZLoMokQJgw=
X-Received: by 2002:a05:6512:3baa:b0:52b:9c8a:734f with SMTP id
 2adb3069b0e04-52fd6098cedmr2056149e87.50.1721930454400; Thu, 25 Jul 2024
 11:00:54 -0700 (PDT)
MIME-Version: 1.0
References: <1C81CD0D-407E-44F9-833A-DD0331C202E5@yesql.se> <171658048932.1105.8754500817650927969.pgcf@coridan.postgresql.org>
In-Reply-To: <171658048932.1105.8754500817650927969.pgcf@coridan.postgresql.org>
From: Jacob Champion <jacob.champion@enterprisedb.com>
Date: Thu, 25 Jul 2024 11:00:41 -0700
Message-ID: <CAOYmi+=ZjGJLw8tCkzY88acd=ir1r8eAxO-+5wXm9gtCUV97Sg@mail.gmail.com>
Subject: Re: Serverside SNI support in libpq
To: Cary Huang <cary.huang@highgo.ca>
Cc: pgsql-hackers@lists.postgresql.org, Daniel Gustafsson <daniel@yesql.se>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
List-Id: <pgsql-hackers.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-hackers@lists.postgresql.org>
List-Owner: <mailto:pgsql-hackers-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-hackers>
Archived-At: <https://www.postgresql.org/message-id/CAOYmi%2B%3DZjGJLw8tCkzY88acd%3Dir1r8eAxO-%2B5wXm9gtCUV97Sg%40mail.gmail.com>
Precedence: bulk

On Fri, May 24, 2024 at 12:55=E2=80=AFPM Cary Huang <cary.huang@highgo.ca> =
wrote:
> pg_hosts should also have sslpassword_command just like in the postgresql=
.conf in
> case the sslkey for a particular host is encrypted with a different passw=
ord.

Good point. There is also the HBA-related handling of client
certificate settings (such as pg_ident)...

I really dislike that these things are governed by various different
files, but I also feel like I'm opening up a huge can of worms by
requesting nestable configurations.

> +       if (ssl_snimode !=3D SSL_SNIMODE_OFF)
> +               SSL_CTX_set_tlsext_servername_callback(context, sni_serve=
rname_cb);
>
> If libpq client does not provide SNI, this callback will not be called, s=
o there
> is not a chance to check for a hostname match from pg_hosts, swap the TLS=
 CONTEXT,
> or possibly reject the connection even in strict mode.

I'm mistrustful of my own test setup (see previous email to the
thread), but I don't seem to be able to reproduce this. With sslsni=3D0
set, strict mode correctly shuts down the connection for me. Can you
share your setup?

(The behavior you describe might be a useful setting in practice, to
let DBAs roll out strict protection for new clients gracefully without
immediately blocking older ones.)

Thanks,
--Jacob