Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vgtV9-006JaW-2L for pgsql-hackers@arkaria.postgresql.org; Fri, 16 Jan 2026 23:45:12 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1vgtV8-005aT3-19 for pgsql-hackers@arkaria.postgresql.org; Fri, 16 Jan 2026 23:45:10 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vgtV7-005aSr-2t for pgsql-hackers@lists.postgresql.org; Fri, 16 Jan 2026 23:45:10 +0000 Received: from mail-qv1-xf2a.google.com ([2607:f8b0:4864:20::f2a]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.96) (envelope-from ) id 1vgtV4-000prw-2C for pgsql-hackers@lists.postgresql.org; Fri, 16 Jan 2026 23:45:08 +0000 Received: by mail-qv1-xf2a.google.com with SMTP id 6a1803df08f44-8907ec50855so35123266d6.3 for ; Fri, 16 Jan 2026 15:45:07 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=enterprisedb.com; s=google; t=1768607106; x=1769211906; darn=lists.postgresql.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=TL2mZhqEMLr/V46AZ5fDdqeSJjNlFho5HO8C5+u4YFw=; b=drHX+89HJpLE3cKmgg8/Bn2SpPoxUmugjp46F197U/uabmb0dGu/WMWJwieDDEGp2f ob6XYhsMvVs9NhEfW787Zd/nth19wJRv+4y2Ib6wG24a/yWxT4GBtWqakD9L3RBkoRQw bxZfTU1ZDD4NmVI19qLM2Ly2FNYqYwhncL6+KdLxhEC+xDbiejoxip/7xMlecFtCeARV Gp0b7zigluRPiulfdh2hUKu348VhacjY1l1Z+E07r9s9HHpRRsL6Y2AD30bUXuAb27L/ 1KofqtoYCBoxxbAbvhnfPUa4GyqJ/TXs9a3QXofZWRzKltOmvnOZOUEmRLhXw/yuXlmu 31Iw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768607106; x=1769211906; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=TL2mZhqEMLr/V46AZ5fDdqeSJjNlFho5HO8C5+u4YFw=; b=OHa1qTriLxGCK+Wo0Vo9BA/oWDkuG2Q1BjrjmA7O94+G7LMQ4k88fHQLn7N3IjyLHt siYcpeK5Bmubz137M1kJJGwdPY9R2uXx4PFIQzEeGwPBnJwP22Nrp6UCwbenw55HFw1T pgmAbWnWeV3pyBUE1cdxu0SQLRPV1F/OLwHTMXhvY4D4etvVu602nxaHw8RTA7T0NW9t beIMXEd68oDtY92aYx7KE/9ZuPqDgPO3DxABJwoHiht0YMPa/xOJJRVdS/7HP8I5rOqR YwmHIHJvq0Phjaq73ay5KYztQm8pzVJGFUt99eRn3STQQSFGIsJRnfUJsmlsdHX8FhMW 5FKQ== X-Forwarded-Encrypted: i=1; AJvYcCUk/vYiJe611VcUgIoRqCtAeZvb+W14BcFhcsGP8VYrTWg+KgGg7CiVxmlcIEEQyFbTRXYmnG47+/cHR3fa@lists.postgresql.org X-Gm-Message-State: AOJu0Yzf3MgAAbPR28ihtaSUeRvka/YN5PYxO/gHHXkoYEmN6tM9ipW6 8Orgva/LsFxi40HReyca2cmBPWu0cmIHd9sRZ5jyzxl4xU/oOfHJUzRZmYaWaces6MJi9yRU7KW q6GAKaKR3u6DTxkCELCcS1YnwbxWPFLuT0gJciB/N X-Gm-Gg: AY/fxX6uzRGWb2p4+HtK3bJDaWXSryMslCpwjmY+emPQHik9UTf5V7ja06ux65v2luB ERgCRMdZS/ppPcU7aiAN0heqN3ZUxXFkiw2+YYQ6cCfCbqz/wq+aS8azeRhqdc6GpSMBVaXEKcA Is2uKUxu48iae6T78JrF/9rWpfpCMNLozkXEKC7d8igBwghAO7QN0dMiiWfGMWzZviAbNHQ9/4E QVEX1cAlBK2KbZ35MRVPux8MfjMpxxGMw3DFtvc9gNFOCMAorBczZN9sxMZFu+UVst96SmOHA== X-Received: by 2002:a05:6214:c6b:b0:890:4f86:495e with SMTP id 6a1803df08f44-8942e4b9153mr62226916d6.39.1768607106287; Fri, 16 Jan 2026 15:45:06 -0800 (PST) MIME-Version: 1.0 References: <88986722-5A72-4DEC-8750-BDBF67FF8C01@yesql.se> <7E77028B-5A3A-436B-9046-8E9992E9F94A@yesql.se> <0BC5B9B1-6503-4563-AAC6-33DEF264AE3F@yesql.se> <80F4F8F4-8E4F-4B6F-866B-D837057C1192@yesql.se> <0C53C316-C24E-4307-807B-D825CA3F7254@yesql.se> <378D83FA-338C-4EA1-BC60-397BE08D0F01@yesql.se> <2025112617144938459246@163.com> <0217DEFA-9684-4A77-A005-D30EBEF155C4@yesql.se> <5D0E78E0-EA79-480E-ABD3-B1EF0156BF8B@yesql.se> <785C0B88-7068-4576-AF55-251D06CEC112@yesql.se> <01412917-C42E-4238-97E2-707C32940DDD@yesql.se> In-Reply-To: From: Jacob Champion Date: Fri, 16 Jan 2026 15:44:55 -0800 X-Gm-Features: AZwV_Qjud0J3exZTHNCAR5cSsS9NqtBBq96X__r4SvdtxSmn5kaVMzVtMMEXw4U Message-ID: Subject: Re: Serverside SNI support in libpq To: Daniel Gustafsson Cc: Jelte Fennema-Nio , Heikki Linnakangas , Dewei Dai , "li.evan.chao" , Michael Paquier , Andres Freund , Pgsql Hackers Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk [skipping right to the weird part, will circle back to the other questions later] On Tue, Jan 13, 2026 at 1:57=E2=80=AFAM Daniel Gustafsson = wrote: > I think the attached is pretty clear improvement over the previous versio= n so > thanks for the review suggestions. That being said, the test which was > reported to still fail upstream is failing here as well (it does the righ= t > thing with the connection, but terminates the handshake in a different pl= ace). > In an attempt to fix that I moved to using the ClientHello callback which > OpenSSL document to be the right one (yet they use the servername callbac= k > themselves), but it renders the same result. I hope that your eagle eyes= (or > someone elses) can figure out either what is wrong, or if this is a diffe= rent > form of right. The same failing test is added to 0001 to run it in a str= ictly > non-SNI config as well. I hadn't realized that this also regressed without SNI! That helped a lot. With 0001, the bug is this diff, which runs the verify_cb regardless of the ssl_ca setting: > - SSL_CTX_set_verify(context, > - (SSL_VERIFY_PEER | > - SSL_VERIFY_CLIENT_ONCE), > - verify_cb); > } > > + /* > + * Always ask for SSL client cert, but don't fail if it's not present= ed. > + * We might fail such connections later, depending on what we find in > + * pg_hba.conf. > + */ > + SSL_CTX_set_verify(context, > + (SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE), > + verify_cb); 0002 undid that but reintroduced it in be_tls_open_server(): > /* enable ALPN */ > SSL_CTX_set_alpn_select_cb(SSL_context, alpn_cb, port); > > + SSL_CTX_set_verify(SSL_context, > + (SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE), > + verify_cb); If I remove that diff, the regression goes away. But then we start failing SNI tests: > [14:24:05.901](0.000s) not ok 72 - host: 'example.com', ca: 'root+client_= ca.crt': connect with sslcert, client certificate sent: no stderr > [14:24:05.902](0.000s) # Failed test 'host: 'example.com', ca: 'root+cl= ient_ca.crt': connect with sslcert, client certificate sent: no stderr' > # at src/test/ssl/t/004_sni.pl line 314. > [14:24:05.902](0.000s) # got: 'psql: error: connection to server= at "127.0.0.1", port 15428 failed: FATAL: connection requires a valid cli= ent certificate' > # expected: '' > [14:24:05.917](0.000s) not ok 76 - host: 'example.net', ca: 'root+server_= ca.crt': connect with sslcert, client certificate sent: matches > [14:24:05.917](0.000s) # Failed test 'host: 'example.net', ca: 'root+se= rver_ca.crt': connect with sslcert, client certificate sent: matches' > # at ssl/t/004_sni.pl line 327. > [14:24:05.917](0.000s) # 'psql: error: connection to se= rver at "127.0.0.1", port 15428 failed: FATAL: connection requires a valid= client certificate' > # doesn't match '(?^:unknown ca)' I think the root problem probably comes back to SSL_set_SSL_CTX [1]. That copies the certificate over from the new SSL_CTX, but it doesn't really seem to care about much else, and there are a _lot_ of settings copied into the SSL pointer during initial connection [2] that are ignored there. The verify mode and callback are two such settings. So is the password callback (which may mean that the new per-host-line logic for openssl_tls_init_hook won't work correctly either). So unless Matt Caswell knows of an existing API that does this right, I think I'm coming back to the idea that we should keep a single SSL_CTX, and then use the selected HostsLine to override individual connection settings during the clienthello/servername callback. Do we give anything up with that approach? --Jacob [1] https://postgr.es/m/CAOYmi%2Bk%3DVF-2BCqfR49A92tx%3D_QNuL%3D3iT3w6FysOf= fKw9cxDQ%40mail.gmail.com [2] https://github.com/openssl/openssl/blob/5d401004a0/ssl/ssl_lib.c#L731