Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <pgsql-hackers-owner+archive@lists.postgresql.org>)
	id 1vWHSX-00GUsB-0q
	for pgsql-hackers@arkaria.postgresql.org;
	Thu, 18 Dec 2025 17:06:38 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.96)
	(envelope-from <pgsql-hackers-owner+archive@lists.postgresql.org>)
	id 1vWHST-0034Qi-31
	for pgsql-hackers@arkaria.postgresql.org;
	Thu, 18 Dec 2025 17:06:34 +0000
Received: from makus.postgresql.org ([2001:4800:3e1:1::229])
	by malur.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <jacob.champion@enterprisedb.com>)
	id 1vWHST-0034QY-21
	for pgsql-hackers@lists.postgresql.org;
	Thu, 18 Dec 2025 17:06:34 +0000
Received: from mail-qv1-xf2b.google.com ([2607:f8b0:4864:20::f2b])
	by makus.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
	(Exim 4.96)
	(envelope-from <jacob.champion@enterprisedb.com>)
	id 1vWHSR-001MVd-2k
	for pgsql-hackers@lists.postgresql.org;
	Thu, 18 Dec 2025 17:06:32 +0000
Received: by mail-qv1-xf2b.google.com with SMTP id
 6a1803df08f44-88a32bf0248so7105526d6.0
        for <pgsql-hackers@lists.postgresql.org>;
 Thu, 18 Dec 2025 09:06:31 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=enterprisedb.com; s=google; t=1766077590; x=1766682390;
 darn=lists.postgresql.org;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:from:to:cc:subject:date
         :message-id:reply-to;
        bh=OYAVF9tw0DmnAUrPOgsUBFpYpTx2Msom1L1PXxHbjSA=;
        b=RpiJM0slAL8Vlsag8+uXVvpJcW9LUrIlSuXw1nbd+3Wb6LjGC0Y2iszOKAMZJa5EA8
         xbazhCwDbgblIuvwS+OfkCit/ajZlKXdtpNfEF8Txpt7/eFKjYcf9KYl6OVSKgLZiyeb
         /gJyHBNT1BGzz3D9WbVcNQIWbPExG0JWVFGR3t1GmeddujeokhU6GcUDL1FQsHfINytW
         HYImd8iqSOKDh3H28qxg+YRINLCdyURukNk2J8ReGIkWsbQBXID4i3btFKjZI9P9u4x7
         omHdizjQCwtcjuec+UlJJ8yraQkikA97JB08aUR+wmK+Uu+yNA0ApOcOpF0NucDhTiuU
         ToKg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1766077590; x=1766682390;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=OYAVF9tw0DmnAUrPOgsUBFpYpTx2Msom1L1PXxHbjSA=;
        b=dXJPP+iNc+miVRWeIROZXQqtlY6BANZkpWIDPGdagx+lwTZ9a7OY6KNzzrtcx5wvNP
         0zfkvX1jbYVxeh8am9DISL/j18c+nINpECcTQ/yCvsgAJn89iK0aaRPCmuCEY3sPQHJ7
         tgwkNlLTlFzw8ZU4PtwKWhQH5osUPjwZzSxEfoCQnQWMSyKvnNTcap1jqp0YMTI/57j7
         CPjTvDJykaMRgZQTtCmMel6P3BVTcrAW3+yGME3RMjawoiXObwZKr7v5LWjZtTGdqzzv
         RwinvrQcMxfO8tuLLfnlgvlizsrw4TzfYSCh2lpV6Sn4M/fbGFs4t0u6pqg7X6sm4DwH
         ivCA==
X-Forwarded-Encrypted: i=1;
 AJvYcCVCcsF1WAnSlnXiY1wwiPB8JT4Bu5+Sew/nVX86LWypWp4CaJ2IFnw81kxm0CnJVjQOwBE6SBNBE8A4ZzCS@lists.postgresql.org
X-Gm-Message-State: AOJu0Yy56k5biDCXhXj6y2Px8hsISx5CNWl12y8JliXI+RnfoqgBNkig
	H/khZjksrSlTsmJAMZrfrTHnJ5RkU+J24HvxJvjFEtoiz3oiHv80g5nQjEtNlVlOer0avOVic30
	WzNEHJKAPlrvBLNpGW5QdLiAaogfRCIJMaivq3qiO
X-Gm-Gg: AY/fxX6oD4LQgvM2TcBklMEBRmmF5uGVieA8zEllThdWGlWdJvAc9FGYs6XL6jlwEcK
	5PuTlHGrd381y3KammqBAUE+b35jwTnnjYUGHFRXFJmFxwWQGU7cUTgvtB54mE6afIWtmB4p31b
	PVXz4GWuF7I5rx6XpbjOUfriz3affcs8NQBcwlI/RejuTUp2Mn+3h3x5PiqEVlhe8BiXV/pzYs2
	Dq6OVgnDk5FF+EyhmuipkVPNMXKO7wZERYuM2T/bZIKH3oXDzmCV2Iza3DkfYtSOrSGSpe4tdkf
	5NTGSudy
X-Google-Smtp-Source: 
 AGHT+IEt5W397M7w8qWOLDwjDu7dN6CxZr4STDkJNvcagbHFOSnFyGyRHO3tm+aSZVwSPX8XsG9VEyXMW21YwY2LQwA=
X-Received: by 2002:a0c:edcb:0:b0:882:3c0c:a410 with SMTP id
 6a1803df08f44-88d83d65488mr4270596d6.47.1766077590233; Thu, 18 Dec 2025
 09:06:30 -0800 (PST)
MIME-Version: 1.0
References: <88986722-5A72-4DEC-8750-BDBF67FF8C01@yesql.se>
 <7E77028B-5A3A-436B-9046-8E9992E9F94A@yesql.se>
 <Z1jeINLtB05YMVOY@paquier.xyz>
 <E51258CD-C7B2-4BB1-AB9C-A3DD2B6592D0@yesql.se>
 <F4222274-15C0-40E4-84FB-8FC1355BB8B2@yesql.se>
 <CAOYmi+mSrV8hRaQkvGDf1Df4cmpv5SeTbTxppyxeonMe6MW8nA@mail.gmail.com>
 <0BC5B9B1-6503-4563-AAC6-33DEF264AE3F@yesql.se>
 <aa7gx3mychf3m2g67mbslzbxjy3if4enpcflstoa5pol3432x5@ugqz45gsvurq>
 <F585452A-1F69-4658-A7E8-D1273AC663ED@yesql.se>
 <aLT9xVsTVp0j3zWy@paquier.xyz>
 <80F4F8F4-8E4F-4B6F-866B-D837057C1192@yesql.se>
 <D9F6F14D-FCB1-48B5-9CBC-AE89FA0AEF4C@yesql.se>
 <CAOYmi+m2Ks7D4obtXay3y-UNn6CkTNrmr_zWC25vKTdesatafA@mail.gmail.com>
 <0C53C316-C24E-4307-807B-D825CA3F7254@yesql.se>
 <DD77A37A-BFCA-4819-A029-1A41E2443D8E@gmail.com>
 <378D83FA-338C-4EA1-BC60-397BE08D0F01@yesql.se>
 <2025112617144938459246@163.com>
 <0217DEFA-9684-4A77-A005-D30EBEF155C4@yesql.se>
 <afb479af-2fe7-4790-ad11-437a326329b5@iki.fi>
 <5D0E78E0-EA79-480E-ABD3-B1EF0156BF8B@yesql.se>
 <f621264b-26a6-4b7a-8982-3820b7d6d397@iki.fi>
 <CAGECzQTWH-bzHcdPo=i09TL_P6_HBBNEkBmr+rpN_J9zVfR2Fw@mail.gmail.com>
 <785C0B88-7068-4576-AF55-251D06CEC112@yesql.se>
 <CAOYmi+=u=vS1beiog6p5e843uVdout9qZY=pRj4vo=jCVwgGTA@mail.gmail.com>
 <FB2759EB-C8DB-49FA-800F-7010C65EB8DF@yesql.se>
 <CAOYmi+mZ=i55iH44zPqidZfoNDLwPBMD=PUtD03LR2ut+zMEag@mail.gmail.com>
 <01412917-C42E-4238-97E2-707C32940DDD@yesql.se>
In-Reply-To: <01412917-C42E-4238-97E2-707C32940DDD@yesql.se>
From: Jacob Champion <jacob.champion@enterprisedb.com>
Date: Thu, 18 Dec 2025 09:06:19 -0800
X-Gm-Features: AQt7F2rtuX_IRep8ga6e7QJe7iJFrp4On_aemp5VV0NxHwhXdy0Q9Y9ez6kca0M
Message-ID: 
 <CAOYmi+m05X5fRaeV7w3y4VOePnJJQrihK9A_6ma3e5Pesa5mXA@mail.gmail.com>
Subject: Re: Serverside SNI support in libpq
To: Daniel Gustafsson <daniel@yesql.se>
Cc: Jelte Fennema-Nio <postgres@jeltef.nl>,
 Heikki Linnakangas <hlinnaka@iki.fi>,
	Dewei Dai <daidewei1970@163.com>, "li.evan.chao" <li.evan.chao@gmail.com>,
	Michael Paquier <michael@paquier.xyz>, Andres Freund <andres@anarazel.de>,
	Pgsql Hackers <pgsql-hackers@lists.postgresql.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
List-Id: <pgsql-hackers.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-hackers@lists.postgresql.org>
List-Owner: <mailto:pgsql-hackers-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-hackers>
Archived-At: 
 <https://www.postgresql.org/message-id/CAOYmi%2Bm05X5fRaeV7w3y4VOePnJJQrihK9A_6ma3e5Pesa5mXA%40mail.gmail.com>
Precedence: bulk

On Wed, Dec 17, 2025 at 4:07=E2=80=AFPM Daniel Gustafsson <daniel@yesql.se>=
 wrote:
> > Will anyone be mad at us for camping on the "no_sni" identifier? I
> > know technically underscore isn't allowed in DNS hostnames, buuuut [1,
> > 2]
>
> Maybe, but I think that regardless of what we do someone will be mad.  Th=
e
> other option would be to use another single character like '?' or somethi=
ng.
> Not sure that will improve readability though.

Hm, I agree that's not readable. Especially since other famous server
implementations use ? to match a single character in server alias
names.

Maybe we could enclose no_sni with something that's emphatically not
DNS. Braces, brackets, etc.? If we had control over the lower level
tokenizer, we could tell people to double-quote it to disambiguate,
but I don't think we have access to that information at our level.

> > Should we support multiple hostname tokens in a single line, though,
> > and just copy the settings that follow across all of them?
>
> I've been hesitant to add too much complexity, but perhaps just allowing =
a
> comma separated list is a good middle ground to avoid going full regex?

I think it could be a pretty good bump in usability. Wildcards seem
ideal but the cost is much higher. Hopefully the cost of
comma-separated hosts is just an extra inner loop in the parser, plus
the extra tests?

I'm trying to put on my "what could we possibly regret" hat for these
next ones. They may be uselessly speculative:

- If the goal is to eventually support wildcards, will the use of a
bare catch-all asterisk conflict with your plans (if any)?
- What kind of normalization should we do? Currently, `example.com`
will not match `example.COM` and it seems like that might be a problem
for somebody.
- Do we need to consider IDNs and A-labels and U-labels? (Do we
support the latter today, at all?)

A nice-to-have v2ish feature might be to warn if the host configured
for a certificate cannot in fact match that certificate according to
OpenSSL.

--Jacob