Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <pgsql-hackers-owner+archive@lists.postgresql.org>)
	id 1w2rpz-000gKr-1G
	for pgsql-hackers@arkaria.postgresql.org;
	Wed, 18 Mar 2026 14:25:31 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.96)
	(envelope-from <pgsql-hackers-owner+archive@lists.postgresql.org>)
	id 1w2rpy-00BPfC-09
	for pgsql-hackers@arkaria.postgresql.org;
	Wed, 18 Mar 2026 14:25:30 +0000
Received: from makus.postgresql.org ([2001:4800:3e1:1::229])
	by malur.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <daniel@yesql.se>)
	id 1w2rpx-00BPf4-1z
	for pgsql-hackers@lists.postgresql.org;
	Wed, 18 Mar 2026 14:25:29 +0000
Received: from smtp.outgoing.loopia.se ([93.188.3.37])
	by makus.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.98.2)
	(envelope-from <daniel@yesql.se>)
	id 1w2rpt-00000000N55-3HFB
	for pgsql-hackers@lists.postgresql.org;
	Wed, 18 Mar 2026 14:25:28 +0000
Received: from s807.loopia.se (localhost [127.0.0.1])
	by s807.loopia.se (Postfix) with ESMTP id C996F554C5F
	for <pgsql-hackers@lists.postgresql.org>;
 Wed, 18 Mar 2026 15:25:24 +0100 (CET)
Received: from s981.loopia.se (unknown [172.22.191.6])
	by s807.loopia.se (Postfix) with ESMTP id B88C5554770;
	Wed, 18 Mar 2026 15:25:24 +0100 (CET)
Received: from localhost (unknown [172.22.191.5])
	by s981.loopia.se (Postfix) with ESMTP id B34E722B178C;
	Wed, 18 Mar 2026 15:25:24 +0100 (CET)
X-Virus-Scanned: amavis at amavis.loopia.se
X-Spam-Flag: NO
X-Spam-Score: -1.2
X-Spam-Level: 
X-Spam-Status: No, score=-1.2 tagged_above=-999 required=6.2
 tests=[ALL_TRUSTED=-1, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
 DKIM_VALID_EF=-0.1] autolearn=disabled
Authentication-Results: s473.loopia.se (amavis); dkim=pass (2048-bit key)
 header.d=yesql.se
Received: from s899.loopia.se ([172.22.191.6])
 by localhost (s473.loopia.se [172.22.190.13]) (amavis, port 10024)
 with UTF8LMTP id 4RDHuTyCa_q7; Wed, 18 Mar 2026 15:25:24 +0100 (CET)
X-Loopia-Auth: user
X-Loopia-User: daniel@yesql.se
X-Loopia-Originating-IP: 89.255.232.236
Received: from smtpclient.apple (customer-89-255-232-236.stosn.net
 [89.255.232.236])
	(Authenticated sender: daniel@yesql.se)
	by s899.loopia.se (Postfix) with ESMTPSA id E779C2C8BACA;
	Wed, 18 Mar 2026 15:25:23 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yesql.se;
	s=loopiadkim1707475645; t=1773843924;
	bh=dDBgDLW+uDxaoMpxGg1mDleOz2sZ/QggBrd3kesGIDg=;
	h=From:Subject:Date:In-Reply-To:Cc:To:References;
	b=X/DjAvIPDb1mCUcxADJvj4ZnNHx0qVUkUFILgBYK+bgkisTq8al4GikMkDR9ebIJ5
	 PK3YHf+zrrVr+YbkkgpuUjxu3Rk4/0GdMqry4mQPJ1EtlvNwNk13g0n784HuwBupF8
	 rds/wh+AVwmQxRakw+oH2WkuF4FmhKtE1k3y1wvhUtgONEYla2TnEcL+diLiIc6ujh
	 OVRunVcjV9AfRQhsyzi6z7ynY7fb+NguHAgvAENxYl82M9KXtRPW6c1Lw/2zKRiyfc
	 y/3vtx7L3L9OQ/lr1B6fIwDRe8FwtSXJsQcjw0FPYJyO5S1nB3rw677EkCEUnJtYUZ
	 QnARF+alrGPBg==
From: Daniel Gustafsson <daniel@yesql.se>
Message-Id: <DC2A4BB6-9D9D-4752-8296-6AE1321E8048@yesql.se>
Content-Type: multipart/mixed;
	boundary="Apple-Mail=_F9ABFF2E-28A9-4799-905A-12CE46BFEEF4"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3776.700.51.11.2\))
Subject: Re: Serverside SNI support in libpq
Date: Wed, 18 Mar 2026 15:25:13 +0100
In-Reply-To: 
 <CAOYmi+kXmCCgBWffzmSjaNhME5rD=gjyc_OP1FeWQTw2MmSNjg@mail.gmail.com>
Cc: Zsolt Parragi <zsolt.parragi@percona.com>,
 Jelte Fennema-Nio <postgres@jeltef.nl>,
 Heikki Linnakangas <hlinnaka@iki.fi>,
 Dewei Dai <daidewei1970@163.com>,
 "li.evan.chao" <li.evan.chao@gmail.com>,
 Michael Paquier <michael@paquier.xyz>,
 Andres Freund <andres@anarazel.de>,
 Pgsql Hackers <pgsql-hackers@lists.postgresql.org>
To: Jacob Champion <jacob.champion@enterprisedb.com>
References: <88986722-5A72-4DEC-8750-BDBF67FF8C01@yesql.se>
 <7E77028B-5A3A-436B-9046-8E9992E9F94A@yesql.se>
 <Z1jeINLtB05YMVOY@paquier.xyz>
 <E51258CD-C7B2-4BB1-AB9C-A3DD2B6592D0@yesql.se>
 <F4222274-15C0-40E4-84FB-8FC1355BB8B2@yesql.se>
 <CAOYmi+mSrV8hRaQkvGDf1Df4cmpv5SeTbTxppyxeonMe6MW8nA@mail.gmail.com>
 <0BC5B9B1-6503-4563-AAC6-33DEF264AE3F@yesql.se>
 <aa7gx3mychf3m2g67mbslzbxjy3if4enpcflstoa5pol3432x5@ugqz45gsvurq>
 <F585452A-1F69-4658-A7E8-D1273AC663ED@yesql.se>
 <aLT9xVsTVp0j3zWy@paquier.xyz>
 <80F4F8F4-8E4F-4B6F-866B-D837057C1192@yesql.se>
 <D9F6F14D-FCB1-48B5-9CBC-AE89FA0AEF4C@yesql.se>
 <CAOYmi+m2Ks7D4obtXay3y-UNn6CkTNrmr_zWC25vKTdesatafA@mail.gmail.com>
 <0C53C316-C24E-4307-807B-D825CA3F7254@yesql.se>
 <DD77A37A-BFCA-4819-A029-1A41E2443D8E@gmail.com>
 <378D83FA-338C-4EA1-BC60-397BE08D0F01@yesql.se>
 <2025112617144938459246@163.com>
 <0217DEFA-9684-4A77-A005-D30EBEF155C4@yesql.se>
 <afb479af-2fe7-4790-ad11-437a326329b5@iki.fi>
 <5D0E78E0-EA79-480E-ABD3-B1EF0156BF8B@yesql.se>
 <f621264b-26a6-4b7a-8982-3820b7d6d397@iki.fi>
 <CAGECzQTWH-bzHcdPo=i09TL_P6_HBBNEkBmr+rpN_J9zVfR2Fw@mail.gmail.com>
 <785C0B88-7068-4576-AF55-251D06CEC112@yesql.se>
 <CAOYmi+=u=vS1beiog6p5e843uVdout9qZY=pRj4vo=jCVwgGTA@mail.gmail.com>
 <FB2759EB-C8DB-49FA-800F-7010C65EB8DF@yesql.se>
 <CAOYmi+mZ=i55iH44zPqidZfoNDLwPBMD=PUtD03LR2ut+zMEag@mail.gmail.com>
 <01412917-C42E-4238-97E2-707C32940DDD@yesql.se>
 <CAOYmi+m05X5fRaeV7w3y4VOePnJJQrihK9A_6ma3e5Pesa5mXA@mail.gmail.com>
 <F3BFF481-E9FD-4893-92D2-925BE2229401@yesql.se>
 <CAOYmi+nsqYiXLxN7G4A5edBJWXZ8qD=zFnaE2bEzuMj2_xBT7Q@mail.gmail.com>
 <B481FA78-0173-4D0F-84C5-EDFB613B6428@yesql.se>
 <AE0BE080-02E8-4EF2-980B-15302FA1599E@yesql.se>
 <A4CFF972-B404-4422-A9BF-E0E2797CCBF3@yesql.se>
 <CAN4CZFOGiKAX_gD4Ck+o79n5hAVr3UmuTbYwaABcCuhWA3UehQ@mail.gmail.com>
 <1C38F269-E552-4F78-9E88-E91CEDB12F35@yesql.se>
 <23D19F69-A8DE-4F89-99F6-5FC48762CE4D@yesql.se>
 <CAN4CZFOFAgfyjO7MtCajmtErL1uSzDrSEmxGHOwMFYY3J4Qp+A@mail.gmail.com>
 <561BF011-1626-43A5-BD82-913E67EEBA8B@yesql.se>
 <BAA4F15D-6295-41DD-A1F8-6F5C1E1ECC52@yesql.se>
 <CAOYmi+kXmCCgBWffzmSjaNhME5rD=gjyc_OP1FeWQTw2MmSNjg@mail.gmail.com>
X-Mailer: Apple Mail (2.3776.700.51.11.2)
List-Id: <pgsql-hackers.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-hackers@lists.postgresql.org>
List-Owner: <mailto:pgsql-hackers-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-hackers>
Archived-At: 
 <https://www.postgresql.org/message-id/DC2A4BB6-9D9D-4752-8296-6AE1321E8048%40yesql.se>
Precedence: bulk


--Apple-Mail=_F9ABFF2E-28A9-4799-905A-12CE46BFEEF4
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=utf-8

> On 18 Mar 2026, at 14:01, Jacob Champion =
<jacob.champion@enterprisedb.com> wrote:
>=20
> On Wed, Mar 18, 2026 at 5:19=E2=80=AFAM Daniel Gustafsson =
<daniel@yesql.se> wrote:
>> longfin has so far reported a test failure which I am looking into.
>=20
> I took a quick look at culicidae and I think that's just due to the
> use of EXEC_BACKEND. Rather than $windows_os the SKIP logic should
> probably use something like 001_server's $exec_backend.

That's a bit embarrassing, I spent some time investigating passphrase =
reloading
under EXEC_BACKEND as part of this patchset..

The longfin issue is a bit more odd, I can reproduce it on macOS with =
OpenSSL
1.1.1 but nowhere else.  Rather than reporting an SSL error for aborted
handshake it reports a SYSCALL error.  Using SYSCALL error for when the =
server
close the connection abruptly is documented, but not really this case =
where it
does so with no error codes at all (which given OpenSSL documentation =
doesn't
really say much..).  The change in the attached diff does fix it for me =
but I'm
a bit hesitant to apply something like that, I would be more inclined to =
the
change the expected output in the test.  What are your thoughts?

--
Daniel Gustafsson


--Apple-Mail=_F9ABFF2E-28A9-4799-905A-12CE46BFEEF4
Content-Disposition: attachment;
	filename=bf_fixes.diff
Content-Type: application/octet-stream;
	x-unix-mode=0644;
	name="bf_fixes.diff"
Content-Transfer-Encoding: 7bit

diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index fbd3c63fb5d..943dd2d6767 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -1381,6 +1381,8 @@ open_client_SSL(PGconn *conn)
 					else if (r == -1 && save_errno != 0)
 						libpq_append_conn_error(conn, "SSL SYSCALL error: %s",
 												SOCK_STRERROR(save_errno, sebuf, sizeof(sebuf)));
+					else if (save_errno == 0 && vcode == X509_V_OK && ecode == 0)
+						libpq_append_conn_error(conn, "SSL error: handshake failure");
 					else
 						libpq_append_conn_error(conn, "SSL SYSCALL error: EOF detected");
 					pgtls_close(conn);
diff --git a/src/test/ssl/t/004_sni.pl b/src/test/ssl/t/004_sni.pl
index 4e06475b125..878e32ff107 100644
--- a/src/test/ssl/t/004_sni.pl
+++ b/src/test/ssl/t/004_sni.pl
@@ -47,6 +47,9 @@ $ENV{PGHOST} = $node->host;
 $ENV{PGPORT} = $node->port;
 $node->start;
 
+my $exec_backend = $node->safe_psql('postgres', 'SHOW debug_exec_backend');
+chomp($exec_backend);
+
 $ssl_server->configure_test_server_for_ssl($node, $SERVERHOSTADDR,
 	$SERVERHOSTCIDR, 'trust');
 
@@ -320,9 +323,10 @@ unlike(
 
 SKIP:
 {
-	# Passphrase reloads must be enabled on Windows to succeed even without a
-	# restart
-	skip "Passphrase command reload required on Windows", 1 if ($windows_os);
+	# Passphrase reloads must be enabled on Windows (and EXEC_BACKEND) to
+	# succeed even without a restart
+	skip "Passphrase command reload required on Windows", 1
+		if ($windows_os || $exec_backend =~ /on/);
 
 	$node->connect_ok(
 		"$connstr sslrootcert=ssl/root+server_ca.crt sslmode=require host=localhost",

--Apple-Mail=_F9ABFF2E-28A9-4799-905A-12CE46BFEEF4--