public inbox for [email protected]
help / color / mirror / Atom feedFrom: Jacob Champion <[email protected]>
To: Daniel Gustafsson <[email protected]>
Cc: Jelte Fennema-Nio <[email protected]>
Cc: Heikki Linnakangas <[email protected]>
Cc: Dewei Dai <[email protected]>
Cc: li.evan.chao <[email protected]>
Cc: Michael Paquier <[email protected]>
Cc: Andres Freund <[email protected]>
Cc: Pgsql Hackers <[email protected]>
Subject: Re: Serverside SNI support in libpq
Date: Thu, 18 Dec 2025 09:06:19 -0800
Message-ID: <CAOYmi+m05X5fRaeV7w3y4VOePnJJQrihK9A_6ma3e5Pesa5mXA@mail.gmail.com> (raw)
In-Reply-To: <[email protected]>
References: <[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<CAOYmi+mSrV8hRaQkvGDf1Df4cmpv5SeTbTxppyxeonMe6MW8nA@mail.gmail.com>
<[email protected]>
<aa7gx3mychf3m2g67mbslzbxjy3if4enpcflstoa5pol3432x5@ugqz45gsvurq>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<CAOYmi+m2Ks7D4obtXay3y-UNn6CkTNrmr_zWC25vKTdesatafA@mail.gmail.com>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<CAGECzQTWH-bzHcdPo=i09TL_P6_HBBNEkBmr+rpN_J9zVfR2Fw@mail.gmail.com>
<[email protected]>
<CAOYmi+=u=vS1beiog6p5e843uVdout9qZY=pRj4vo=jCVwgGTA@mail.gmail.com>
<[email protected]>
<CAOYmi+mZ=i55iH44zPqidZfoNDLwPBMD=PUtD03LR2ut+zMEag@mail.gmail.com>
<[email protected]>
On Wed, Dec 17, 2025 at 4:07 PM Daniel Gustafsson <[email protected]> wrote:
> > Will anyone be mad at us for camping on the "no_sni" identifier? I
> > know technically underscore isn't allowed in DNS hostnames, buuuut [1,
> > 2]
>
> Maybe, but I think that regardless of what we do someone will be mad. The
> other option would be to use another single character like '?' or something.
> Not sure that will improve readability though.
Hm, I agree that's not readable. Especially since other famous server
implementations use ? to match a single character in server alias
names.
Maybe we could enclose no_sni with something that's emphatically not
DNS. Braces, brackets, etc.? If we had control over the lower level
tokenizer, we could tell people to double-quote it to disambiguate,
but I don't think we have access to that information at our level.
> > Should we support multiple hostname tokens in a single line, though,
> > and just copy the settings that follow across all of them?
>
> I've been hesitant to add too much complexity, but perhaps just allowing a
> comma separated list is a good middle ground to avoid going full regex?
I think it could be a pretty good bump in usability. Wildcards seem
ideal but the cost is much higher. Hopefully the cost of
comma-separated hosts is just an extra inner loop in the parser, plus
the extra tests?
I'm trying to put on my "what could we possibly regret" hat for these
next ones. They may be uselessly speculative:
- If the goal is to eventually support wildcards, will the use of a
bare catch-all asterisk conflict with your plans (if any)?
- What kind of normalization should we do? Currently, `example.com`
will not match `example.COM` and it seems like that might be a problem
for somebody.
- Do we need to consider IDNs and A-labels and U-labels? (Do we
support the latter today, at all?)
A nice-to-have v2ish feature might be to warn if the host configured
for a certificate cannot in fact match that certificate according to
OpenSSL.
--Jacob
view thread (58+ messages) latest in thread
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected]
Subject: Re: Serverside SNI support in libpq
In-Reply-To: <CAOYmi+m05X5fRaeV7w3y4VOePnJJQrihK9A_6ma3e5Pesa5mXA@mail.gmail.com>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox