Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vTklT-009y0m-30 for pgsql-hackers@arkaria.postgresql.org; Thu, 11 Dec 2025 17:47:44 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1vTklS-004nLC-2u for pgsql-hackers@arkaria.postgresql.org; Thu, 11 Dec 2025 17:47:43 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vTklS-004nL1-1w for pgsql-hackers@lists.postgresql.org; Thu, 11 Dec 2025 17:47:43 +0000 Received: from mail-qk1-x72e.google.com ([2607:f8b0:4864:20::72e]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.96) (envelope-from ) id 1vTklQ-000BIU-23 for pgsql-hackers@lists.postgresql.org; Thu, 11 Dec 2025 17:47:41 +0000 Received: by mail-qk1-x72e.google.com with SMTP id af79cd13be357-8b2627269d5so37774385a.2 for ; Thu, 11 Dec 2025 09:47:40 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=enterprisedb.com; s=google; t=1765475259; x=1766080059; darn=lists.postgresql.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=dPFmctzvLpLFbZ8MHJOjw3+3ErADjFCXPvg+/feTOvc=; b=Mh9jhCoBU+478W3rpWC2kU6CSdLhvzh/V1/PPjwCqFo30/RdhLPeb6a943Ne7eATcZ u7bIYUp6iIuIy518IpwxjIrFCicEc+5vBKIwnvBUfUdPevKF7DJ0xaiI6VUL3mp0uvXJ 8AgZ2C89Rb62Ab1c+4WET0V8pw+GxIF80knJ2VbJWD6k/mfV8ArRUMR6Ww8N29oAHpa3 6ZhRiXuP0914DRyKUHiB77NwywAKB/s5gYml7jt+MSyxZQe5DO4vRCBNbe2YKQimvQwz NXIvQ4YDcLqj4+Pq2oNzpaGqtfEj+ewXCmqiEjpLf0z7yWGB7A2BTZuIeK41iZbXbj8r 3Qxg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1765475259; x=1766080059; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=dPFmctzvLpLFbZ8MHJOjw3+3ErADjFCXPvg+/feTOvc=; b=k+i2DZmyB5DkAh3iD6VXNBN1XHrey8Lw3/38cXta15w0Z0VNg/nZJN3Ulwbf7+nDib b/PpJJfZJXXpipqcCfIN3nEK1c8BGO9eaSBRde8kZqZ+JAJoNKExnm0CZrqYj06GkG2k nFxkz0DWLtwyPsijx3Kn36fkWPoB5+03xaYZpjfNu4QwUosMxF7rKCRmWawjEqY1C1YG uv9jGOeFfnojlG8Sp7rAeMPeJTrQTByidHlENIK6lF5SHtvfBPHSRmEhEzmH3CSFJUhn K0757NpN9pQu+PU7J2yQtiHU8mmje44kGHpUL5Xdu7lkaNXbaSWPDP/y4238yawGw12i hbLQ== X-Forwarded-Encrypted: i=1; AJvYcCX3VPW4S7XSTra6N0wvyOiQV5Yl0cLDQf9TJBjnRs6itRo7g1W4KgAVtcKWiMe0CHQZYPzprDVYD/k/vW3s@lists.postgresql.org X-Gm-Message-State: AOJu0Yzqswsb20wqwv5Mj0OHTVDOHv1F4rp36LTjD2Ea9Z71YthexfDU IXRiA/TfvW8eykdML07JsJdDqxjMoJmYghdwtfolsQYgRJmvsO4EPBjJpxbScJYDM6l1u62eID4 JXNw0J56K+BsBN/ZZQj+ENVhs3EvSRi9orlMe/L/b X-Gm-Gg: AY/fxX51EjBeJ8fRgMSUH8/lMeWVaSwpTI8Nc8JEo6pPtjIvAMk5ipUeV4aQswL7uoj CcS6gAlMdJx2/alnGDixcBfe17EpTA7ndr6EDnXUmtzrUsGgzOoFYghrMqt6tb3xAHkZ5QBxYuZ XNeZRzG4QpUHgiiqxYKNaz71O6wNx522SoOpKEie+gjNS+Kx24hHCt+cGQVHEfx+RsmBrT867Kx ATNi1gGtfXd37vm2ZzYfkiDhRlXrCA1KSMU584Nql1MKK3fPkEZNveXCuPJY6OW8Km9511DSQ== X-Google-Smtp-Source: AGHT+IEbEupA6rf41pcxWJ5wOE7/5FezilEXNRhO2qgYVQCqsKvssmzULf45c2DoDkhtxaXUQhyu6LGqEB/OO5tMoaM= X-Received: by 2002:a05:620a:1710:b0:8b2:2800:d646 with SMTP id af79cd13be357-8ba3a668c2bmr1139951185a.88.1765475259208; Thu, 11 Dec 2025 09:47:39 -0800 (PST) MIME-Version: 1.0 References: <88986722-5A72-4DEC-8750-BDBF67FF8C01@yesql.se> <7E77028B-5A3A-436B-9046-8E9992E9F94A@yesql.se> <0BC5B9B1-6503-4563-AAC6-33DEF264AE3F@yesql.se> <80F4F8F4-8E4F-4B6F-866B-D837057C1192@yesql.se> <0C53C316-C24E-4307-807B-D825CA3F7254@yesql.se> <378D83FA-338C-4EA1-BC60-397BE08D0F01@yesql.se> <2025112617144938459246@163.com> <0217DEFA-9684-4A77-A005-D30EBEF155C4@yesql.se> <5D0E78E0-EA79-480E-ABD3-B1EF0156BF8B@yesql.se> <785C0B88-7068-4576-AF55-251D06CEC112@yesql.se> In-Reply-To: <785C0B88-7068-4576-AF55-251D06CEC112@yesql.se> From: Jacob Champion Date: Thu, 11 Dec 2025 09:47:28 -0800 X-Gm-Features: AQt7F2rMCVwIgP1OZqOLcqpw6AhvsfzRvHFU-bE3_dPj3RuQx7d8BCeJcVbIpnk Message-ID: Subject: Re: Serverside SNI support in libpq To: Daniel Gustafsson Cc: Jelte Fennema-Nio , Heikki Linnakangas , Dewei Dai , "li.evan.chao" , Michael Paquier , Andres Freund , Pgsql Hackers Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk Hi! On Mon, Nov 24, 2025 at 6:53=E2=80=AFAM Daniel Gustafsson = wrote: > The attached incorporates your tests, fixes them to make them pass. The > culprit seemed to be a combination of a bug in the code (the verify callb= ack > need to be defined in the default context even if there is no CA for it t= o be > called in an SNI setting because OpenSSL), and that the tests were matchi= ng > backend errors against frontend messages. The new v12 tests still don't pass for me (they all use "certificate verify failed", but the failure modes should be different). > + if (host->ssl_ca && host->ssl_ca[0] !=3D '\0') The comment for HostsLine.ssl_ca, and the code that assigns it, implies to me that host->ssl_ca should never be NULL. Am I missing a case where it could be? On Wed, Dec 3, 2025 at 1:57=E2=80=AFAM Heikki Linnakangas = wrote: > I propose that there is no GUC. In 'pg_hosts.conf', you can specify a > wildcard '*' host that matches anything. You can also specify a "no sni" > line which matches connections with no SNI specified. (Or something > along those lines, I didn't think too hard about all the interactions). That seems to position SNI as a feature that every DBA should have to think about by default. ("learn this file. you can't turn it off.") Is it, yet? Web servers enable SNI implicitly because name-based hosting is a top-level concept for users over there (hostnames are baked into the application layer). I would argue that we don't have that here. Maybe in the future someone will ask for that, but at that point don't you want a very different, name-based, config system? On Wed, Dec 3, 2025 at 3:28=E2=80=AFPM Daniel Gustafsson = wrote: > > On 3 Dec 2025, at 22:27, Jelte Fennema-Nio wrote: > > What if we make it so that if a pg_hosts.conf file exists, then the > > ssl_cert_file/ssl_key_file configs are ignored? And by default initdb > > would not create a file (or it would, but with the same default > > settings that we have now). > > Maybe. I'm not a big fan of magic-file-exist configurations Me neither. (I especially don't like the idea of ignoring a certificate+key setting that a user has taken the time to put into a config.) Thanks, --Jacob