Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1s1NXp-00BnBt-CR for pgsql-hackers@arkaria.postgresql.org; Mon, 29 Apr 2024 09:43:33 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1s1NXm-00GE4b-Cn for pgsql-hackers@arkaria.postgresql.org; Mon, 29 Apr 2024 09:43:31 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1s1NXl-00GE4T-Oi for pgsql-hackers@lists.postgresql.org; Mon, 29 Apr 2024 09:43:30 +0000 Received: from meesny.iki.fi ([195.140.195.201]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1s1NXf-000aM7-8G for pgsql-hackers@lists.postgresql.org; Mon, 29 Apr 2024 09:43:29 +0000 Received: from [192.168.1.115] (dsl-hkibng22-54f8db-125.dhcp.inet.fi [84.248.219.125]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: hlinnaka) by meesny.iki.fi (Postfix) with ESMTPSA id 4VSdgC1D87zyRh; Mon, 29 Apr 2024 12:43:19 +0300 (EEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=meesny; t=1714383799; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=S7QeOU+r1jlHSOnYfvv0pVhda58cQ4XrkG+ApK50E7M=; b=gpBFCdaN78KrB8SkjVA0u/omYv8tT8mZ8z0tt7PEZ/Rd/+hT/Wlo0o21GiPL4ZKA/LCn2B AKfl+AqiReFi5qWXBFHSK0mH4DcBxFyw+qHDe1WuILQCKOWIZTuA1sPgkZfczl0xPXANZI OqSXJ2eUlWSIvRPwnvvGJ2IN+6LqkBM= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=meesny; t=1714383799; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=S7QeOU+r1jlHSOnYfvv0pVhda58cQ4XrkG+ApK50E7M=; b=ZoszU6w2NlqlzA5sR5JDrs1X1vJY9NcOIe9sd/8jVb70tSLpJI4UA26401CCC7fuSUfk0W glcEHS10CWjL7fYItSK9PdZlEgkjcpu89C50I5diwg6KZ4q3iRc/chxuduI9K54cf3hAE6 DF0tRLRgKuxwnYoRapy/hWWy0cOXlQA= ARC-Seal: i=1; s=meesny; d=iki.fi; t=1714383799; a=rsa-sha256; cv=none; b=EZIKaWVawewQHdZtwe4gGy8IemNcd6tUVrUQtq5X8gmaTuhaQ/EqqKXBin9mV2+blOWW1R SctxWnL4zVrklHkSWO3bEyylE8oAtqnmHFZax7TFpH8jhf2pfOrH47z+wVuyk/VLKd+VjZ WnDzK3sH33XsDu2FzCDNq3+TafxtDuw= ARC-Authentication-Results: i=1; ORIGINATING; auth=pass smtp.auth=hlinnaka smtp.mailfrom=hlinnaka@iki.fi Message-ID: Date: Mon, 29 Apr 2024 12:43:18 +0300 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: Direct SSL connection with ALPN and HBA rules To: Michael Paquier Cc: Jacob Champion , Postgres hackers References: Content-Language: en-US From: Heikki Linnakangas In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On 23/04/2024 10:07, Michael Paquier wrote: > In the documentation of PQsslAttribute(), it is mentioned that empty > string is returned for "alpn" if ALPN was not used, however the code > returns NULL in this case: > SSL_get0_alpn_selected(conn->ssl, &data, &len); > if (data == NULL || len == 0 || len > sizeof(alpn_str) - 1) > return NULL; Good catch. I changed the code to return an empty string, as the documentation says. I considered if NULL or empty string would be better here. The docs for PQsslAttribute also says: "Returns NULL if the connection does not use SSL or the specified attribute name is not defined for the library in use." If a caller wants to distinguish between "libpq or the SSL library doesn't support ALPN at all" from "the server didn't support ALPN", you can tell from whether PQsslAttribute returns NULL or an empty string. So I think an empty string is better. -- Heikki Linnakangas Neon (https://neon.tech)