Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vVnUZ-0085jQ-02 for pgsql-hackers@arkaria.postgresql.org; Wed, 17 Dec 2025 09:06:43 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1vVnUX-00BYPF-2P for pgsql-hackers@arkaria.postgresql.org; Wed, 17 Dec 2025 09:06:42 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vVnUX-00BYP7-1T for pgsql-hackers@lists.postgresql.org; Wed, 17 Dec 2025 09:06:42 +0000 Received: from lahtoruutu.iki.fi ([185.185.170.37]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vVnUW-0017Rj-1O for pgsql-hackers@lists.postgresql.org; Wed, 17 Dec 2025 09:06:41 +0000 Received: from [10.0.2.15] (unknown [130.41.208.2]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange x25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: hlinnaka) by lahtoruutu.iki.fi (Postfix) with ESMTPSA id 4dWSbK1Yydz49PsK; Wed, 17 Dec 2025 11:06:37 +0200 (EET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=lahtoruutu; t=1765962397; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=5r7gj3yEKrH+5YIaAuy5ULAKLg47CIoFR+wfUGMTM2s=; b=VroZSXj6mP264wdwDwMjQ8vh8yctySehcgZfKHPA0F7Mb0hCfaE7uwtuIcGfd+QjZZJJuM Z+SptajPMIbmvQZAmVUAzqBeDCA2OA+9us5JBpuOMhf/ONaO1mt/bYsGYt9QIDm3Jzz1FY HoxtJy1oEcRsqVEfo68oJlY+Q8B19gs15Q+p5cKhL6fQbT9U7xlJJW1ZuL0jF1JHmCSN2G cI6/NBM1MEvBHjl+AL76WJwbLvGucGC8BNPIktCMI5Q7gv+S9GhC4Yqi+OnWzODmatV7hF JDHH8bZgsF97K6AHQTN8Yqvvnrz/Hg36YQCCBYl+wvkbk7r4tu4fvI8KRoxI8A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=lahtoruutu; t=1765962397; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=5r7gj3yEKrH+5YIaAuy5ULAKLg47CIoFR+wfUGMTM2s=; b=SNQcyAX2tFChj4U54BNEIvOJ+xGcWGtYY3EGf4o89/Kn97AXkg41n8xX24eUFMhHM6aPFQ 8B7mtN/Bh4ivgop8pYfVWEvNkRlXE9LleQfpw6Tl8eZYOgDfeedKDyENOQ/y4aM6jsni35 fvm4XfYr88O55/ct6FuAg0cEIYZ9SUMG0x2o/lA5QD6r3ubC4WNRdYa02RX2DhMr8XZa05 G2BlGMSIe/PcpPHzWy9d1rOe7CoMtkE3mbp4PGauV4VfoG+3M/U0/51UUp6RB4MSxNJtts 3YMAT7Wa0x5UAXkyhGMqImJpRDQJd1DHP8GpHltTYOxZsnEYCfeHf4c9u0lq8Q== ARC-Authentication-Results: i=1; ORIGINATING; auth=pass smtp.auth=hlinnaka smtp.mailfrom=hlinnaka@iki.fi ARC-Seal: i=1; a=rsa-sha256; d=iki.fi; s=lahtoruutu; cv=none; t=1765962397; b=eaxG6uXy5j4NzIG1LjcteA8CeRZhBHYUoY7NfSRcSEvfWAFeAFsXyIUdCFKWX0bChk6OQB zZgMV+jl1n8GTZs4rHBjaAE2+jRVmLESqi2Vgu/AsLQOPVflK4NGAuSpgMVsvRZA/KbTee 0dIcmGnBUg5/YM0NMP+lbcg7PzrEjabITmYoSWDBe2KO55S/7G0QZ1LXF9dEhYWUC/zPXY xPi4m/xiBOLyKogi4OXE1HuBSerwXOpVRUl+TPSXiyoqyN2UHhHyglbeNc7f5HgCy9zGy6 VEe8jUMBJo9l9iZOCmsb+kVoz8jl8i3DPAvj/WVz8BsYS4u7g8P5u4opjfZAsA== Message-ID: Date: Wed, 17 Dec 2025 11:06:36 +0200 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: Serverside SNI support in libpq From: Heikki Linnakangas To: Daniel Gustafsson , Jacob Champion Cc: Jelte Fennema-Nio , Dewei Dai , "li.evan.chao" , Michael Paquier , Andres Freund , Pgsql Hackers References: <88986722-5A72-4DEC-8750-BDBF67FF8C01@yesql.se> <80F4F8F4-8E4F-4B6F-866B-D837057C1192@yesql.se> <0C53C316-C24E-4307-807B-D825CA3F7254@yesql.se> <378D83FA-338C-4EA1-BC60-397BE08D0F01@yesql.se> <2025112617144938459246@163.com> <0217DEFA-9684-4A77-A005-D30EBEF155C4@yesql.se> <5D0E78E0-EA79-480E-ABD3-B1EF0156BF8B@yesql.se> <785C0B88-7068-4576-AF55-251D06CEC112@yesql.se> <4b9923d6-65f3-46d5-8360-462f8381fbee@iki.fi> Content-Language: en-US In-Reply-To: <4b9923d6-65f3-46d5-8360-462f8381fbee@iki.fi> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On 17/12/2025 11:03, Heikki Linnakangas wrote: > On 12/12/2025 13:41, Daniel Gustafsson wrote: >> I wonder if the way forward is to do both?  Heikki has a good point >> that when >> working with pg_hosts.conf it should be clear from just that file what >> the >> final config will be, and in the previous version that wasn't the case >> since >> the ssl_snimode GUC set operation modes.  At the same time, Jacob has >> a point >> that overriding configuration just because pg_hosts exists isn't >> transparent. >> >> Adding a boolean GUC which turns ph_hosts (and thus SNI) on or off can >> perhaps >> fix both complaints?  If the GUC is on, pg_hosts - and only pg_hosts - >> is used >> for configuring secrets.  By using the * fallback and no_sni rule in >> pg_hosts >> all variations of configs can be achieved.  If the GUC is off, then >> the regular >> SSL GUCs are used and pg_host is never considered (and thus SNI is not >> possible). >> >> Such a GUC wouldn't make the patch all that much different from what >> it is >> right now. What do you think about that middleground proposal? > > I like that. > > Instead of a boolean GUC, it could perhaps be a path to the pg_hosts > file. I haven't thought this through but somehow it feels more natural > to me than a "read this file or not" setting. I was thinking that the boolean GUC would be called something like "read_pg_hosts_file = on / off", which feels unnatural. But thinking about this more, if the GUC is called something like "enable_sni = on / off", that feels much better, and I like that more than my suggestion of specifying the path to the pg_hosts file. - Heikki