Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vW1PW-00AspO-2K for pgsql-hackers@arkaria.postgresql.org; Wed, 17 Dec 2025 23:58:27 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1vW1PV-00H3bp-0p for pgsql-hackers@arkaria.postgresql.org; Wed, 17 Dec 2025 23:58:26 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vW1PU-00H3bg-2z for pgsql-hackers@lists.postgresql.org; Wed, 17 Dec 2025 23:58:25 +0000 Received: from mail-qk1-x731.google.com ([2607:f8b0:4864:20::731]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.96) (envelope-from ) id 1vW1PT-001Ehk-0k for pgsql-hackers@lists.postgresql.org; Wed, 17 Dec 2025 23:58:23 +0000 Received: by mail-qk1-x731.google.com with SMTP id af79cd13be357-8b2f2c5ec36so8619285a.1 for ; Wed, 17 Dec 2025 15:58:22 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=enterprisedb.com; s=google; t=1766015902; x=1766620702; darn=lists.postgresql.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=72jWIBVR/N8GzTrdcbPqL1ngQ/VBLHVrn3BOqtWNixk=; b=EQuB3R4Go8xlu/9AVxTEJMFg6aNSwE/nm7S96SywaEpqY/nXkgDNvkmM/0v8vms13Q /Cco0FXVqE33k0+c1VgSXLORRhfnIut0WP3FCk7xCoTvMa8pyCJvkca0Saw7b09XsLSy 9Z9KtNjMiSZ7nk2cXf+MZtgGfT/7tOZ8fQxp6IiTeIL/XMtjF5pltNoz3BOXksCB8VNA GipyQd/9+5Wm/p7OU4QVyo6MsaSldigLWEgFQfbTtyD9PZO+Y38Dtf6b9px/SkQdBV5G rcji3BNtlCjgC0rYr9cP6hyKcrlebkUug7yvk8Zh4huoiUYrMnCrkftHUtTE+1Z63BpB gT0A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1766015902; x=1766620702; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=72jWIBVR/N8GzTrdcbPqL1ngQ/VBLHVrn3BOqtWNixk=; b=wi2BXzI9/xzcQWlo60ep8TjsRpw06uSgjysvlHK3Ts2hdO24rZaOc2rh1WMgoGIQfd R1W9BSHCyj9asPpiWieEs1svOQVA1SZQQKaXQxJhDT60hPU2z5xtLCNm+T6QQPQR0dDK magHtN3GkDFvVkssTK+H7/ts1x6+hqJ0Jo9GloNGEYaqOKdzIFbNq756T+1Tq2mP7zwM e+GH1EiymubS/7bG7Qv5X/WwYxLJwJi4+DGhPUoPwUk7Kp9l9Or6Y7VB8ppoGfbEgHCw kax1fhazUF0HcRu0vcWSDJZwMz0NU3O7aHlPTciKrTS/TCmhpz2fNz/lO5eGnZ1B+XTn G7Rw== X-Forwarded-Encrypted: i=1; AJvYcCUOazwQ3abtJ51rhNvwl4WheMxr1VBkG/CCukoJTFCDKPL8tJF0uLxFNp5/dwpIchv3dewWx24JeOAGJKt2@lists.postgresql.org X-Gm-Message-State: AOJu0YxQol52QtBlqCeXR/DFUA+BR+yUCH6B3QpotTx9WHgcNaXZmx4q x/zd7LW+s3RgSC+BouM26SlxE/atJkUyP+sa1LZXcWUSBnunBK5uArLTvujvhGZ4YayD9kt9lEI 5c8+rtX857e1BwYhdZUMjlp+k/iYqNN0LqIV8FR+5 X-Gm-Gg: AY/fxX7Ve2qVR6T4XPjP5j///QnivcM8NvmJc/iw0UL1IHyxE0wFbgi4gZny850NUBt 2sgLGhvI0KSZWTnPfxZ1kCqiGJ9/HuH+DWWNPI97O2+7q0oZQKvp/9Vbif4CN6QhnQl624zSJSO /7mwT7VVd59+LxNT+HPD8Ian6s4cHr2JJs00CUJmXdj2wLuvan1XdDpgD8f1vvWMixnkwFlAF4X fFphKDizIYDXUgyM/nrfv0NMwLcNlfJotvqORkx1Zvvo4sw6ZqGjNvp2z+svSeO3DG+Bxxp8A== X-Google-Smtp-Source: AGHT+IGOEou7vLnhADS9fY4y++J33uVyHynI0D1LX+x2yV7RW2XTc3RLezy0itOesyhbkSh1+Vjywfa6Uk2wDSfMtNU= X-Received: by 2002:a05:620a:4d53:b0:8bb:9f02:48b6 with SMTP id af79cd13be357-8bb9f029e29mr1810851585a.71.1766015901694; Wed, 17 Dec 2025 15:58:21 -0800 (PST) MIME-Version: 1.0 References: <88986722-5A72-4DEC-8750-BDBF67FF8C01@yesql.se> <7E77028B-5A3A-436B-9046-8E9992E9F94A@yesql.se> <0BC5B9B1-6503-4563-AAC6-33DEF264AE3F@yesql.se> <80F4F8F4-8E4F-4B6F-866B-D837057C1192@yesql.se> <0C53C316-C24E-4307-807B-D825CA3F7254@yesql.se> <378D83FA-338C-4EA1-BC60-397BE08D0F01@yesql.se> <2025112617144938459246@163.com> <0217DEFA-9684-4A77-A005-D30EBEF155C4@yesql.se> <5D0E78E0-EA79-480E-ABD3-B1EF0156BF8B@yesql.se> <785C0B88-7068-4576-AF55-251D06CEC112@yesql.se> In-Reply-To: From: Jacob Champion Date: Wed, 17 Dec 2025 15:58:10 -0800 X-Gm-Features: AQt7F2pMUfstHFMD10d4DVQoX0Cb1yAZnwer4hZd0pY5YGrtBFmrDOvWJRXiquc Message-ID: Subject: Re: Serverside SNI support in libpq To: Daniel Gustafsson Cc: Jelte Fennema-Nio , Heikki Linnakangas , Dewei Dai , "li.evan.chao" , Michael Paquier , Andres Freund , Pgsql Hackers Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On Fri, Dec 12, 2025 at 3:41=E2=80=AFAM Daniel Gustafsson = wrote: > > The comment for HostsLine.ssl_ca, and the code that assigns it, > > implies to me that host->ssl_ca should never be NULL. Am I missing a > > case where it could be? > > The attached version allows ssl_ca to be omitted from the pg_host config = to > match the ssl_ca GUC. Aha! I think ssl_ca should be moved into the "Optional fields" section of `struct HostsLine` now. > I'm still not sure why they pass for me locally with that error, but I've > updated to patch to match CI. There's one diff remaining from my old tests patch: the example.org line doesn't set ssl_ca, so I expect > - expected_stderr =3D> qr/unknown ca/); > + expected_stderr =3D> qr/client certificates can only be checked i= f a root certificate store is available/); because host_context->ssl_loaded_verify_locations should be false. But that doesn't happen... Why? > Adding a boolean GUC which turns ph_hosts (and thus SNI) on or off can pe= rhaps > fix both complaints? Sounds reasonable, I think. -- Just checking my understanding: is the use case for no_sni primarily that you should be able to strictly refuse clients who say they're talking to someone else -- so you don't want a wildcard -- but you still want to gracefully handle clients who don't speak SNI at all? > + else if (strcmp(host->hostname, "no_sni") =3D=3D 0) > + no_sni_context =3D host_context; Will anyone be mad at us for camping on the "no_sni" identifier? I know technically underscore isn't allowed in DNS hostnames, buuuut [1, 2] > + /* Hostname */ > + field =3D list_head(tok_line->fields); > + tokens =3D lfirst(field); > + token =3D linitial(tokens); > + parsedline->hostname =3D pstrdup(token->string); We should probably check tokens->length to make sure that the user hasn't passed more than one token for each field, similar to how parse_hba_line() does it. Should we support multiple hostname tokens in a single line, though, and just copy the settings that follow across all of them? That would allow you to collapse example.org server.crt server.key example.com server.crt server.key sub.example.com server.crt server.key * other.crt other.key into example.org,example.com,sub.example.com server.crt server.key * other.crt other.key or even @my-hostnames.txt server.crt server.key * other.crt other.key Then you'd have a fighting chance at automatically generating the lists, especially since we don't do wildcards yet. --Jacob [1] https://github.com/netty/netty/pull/8150 [2] https://github.com/openssl/openssl/issues/12566