Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <pgsql-hackers-owner+archive@lists.postgresql.org>)
	id 1vQqAA-001Czm-0Y
	for pgsql-hackers@arkaria.postgresql.org;
	Wed, 03 Dec 2025 16:57:11 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.96)
	(envelope-from <pgsql-hackers-owner+archive@lists.postgresql.org>)
	id 1vQqA9-00EiOd-0O
	for pgsql-hackers@arkaria.postgresql.org;
	Wed, 03 Dec 2025 16:57:09 +0000
Received: from makus.postgresql.org ([2001:4800:3e1:1::229])
	by malur.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <hlinnaka@iki.fi>)
	id 1vQqA8-00EiOH-2S
	for pgsql-hackers@lists.postgresql.org;
	Wed, 03 Dec 2025 16:57:09 +0000
Received: from lahtoruutu.iki.fi ([185.185.170.37])
	by makus.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <hlinnaka@iki.fi>)
	id 1vQqA5-002xXO-1X
	for pgsql-hackers@lists.postgresql.org;
	Wed, 03 Dec 2025 16:57:08 +0000
Received: from [10.0.2.15] (unknown [130.41.208.2])
	(using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
	 key-exchange x25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
	(No client certificate requested)
	(Authenticated sender: hlinnaka)
	by lahtoruutu.iki.fi (Postfix) with ESMTPSA id 4dM3hX4k0Tz49QBk;
	Wed, 03 Dec 2025 18:57:00 +0200 (EET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=lahtoruutu;
	t=1764781021;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=/civBcuSy+lBfWWfL4WehTsPgiiOcUuZWJa5hf1reDE=;
	b=V/Bq8UQfP4dAXPC+VyYWGwRttD6NZZ16Puhg3s7v6KvCXKvomQEoWdltrtVwpbNLOvF8X+
	vGQTctAUvJf0pbo1J1vk4BbHcctatreXhD2jaZp8tFcivg8h9DDGd398HemkwBwf8VWBuz
	pmlDQr1Vyc58/ULWSS/RK0tcfhcsxlJaW20CMKDeQk2F0s4CPvwlzAZtFur/BEuDg5GluZ
	LVv+fNhSroRHa83MjVWr6R/2sEhxdoZWkB3/VNjhMJzd+fCMFKy9r4ztrFnu27+tzz7Hs6
	lR4/WMiPNqsLp8Xc25YMK25dlSGmWQG0rHTIpFZ+YT4Jdvknckb908duBtSlHQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi;
	s=lahtoruutu; t=1764781021;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=/civBcuSy+lBfWWfL4WehTsPgiiOcUuZWJa5hf1reDE=;
	b=byfZQARfk5LJ1TROm8MHRBeY0VwioLVC662uacZRO24YfEv7gvGfcpipEjPA9BryOglsGM
	MdWCmi2df/anwR01xzhKBX1bkZNARFckvL/n3mvi3qn2k3pXqSsgtIqWLpyOctTUI+omGl
	UZuEVdONnw/KSBDAuOU1MFwJMRvxtO7moJ/uhB2mZzb4eejAdWzv+LvCQQYdT2kxclLi1E
	k1q+ajKos/eyUZ8wc4Kaidkgz341vPcfkcUkJvQQ0AkRroWi9+ibvqjaCl8CAbSrC/6vT4
	5kU0kMcI08yBo3VS8Fx/lICjm7wv7klm4CoTiDgs0fPRD0LM53omZaozn8hT8w==
ARC-Seal: i=1; a=rsa-sha256; d=iki.fi; s=lahtoruutu; cv=none; t=1764781021;
	b=YqUAU+fFcZd+UurzfUV0Q0ATIS4AErm9merLKyFeT2qhFkeScZpacmFo2h3YiRk5sIiRm5
	m5l2bQRtK+A+Ujz5Smm+DruFQO8F1iQ5DRFSbXwYBUYgQJS2GdKvgLs1v/QLaUFdB9tv8L
	75vn1H1AU8hvIgbMH7cA7nw2mg5wwD6LLqJwuV92bqhLSROORVjpTOdGP+aK0dEZ0pb2Ob
	IsB9kyI26WFoWt01UqciN19Gy7g4UBByY/8ZKzc3421C5GX6qeFQTSz43IJmPWJWecEskU
	RvJPexC+W2rXi4o7VEhHBHYdIVYlqjlmIpZGZ1lQ7MCkx6wutp+XHW0nkkeVeQ==
ARC-Authentication-Results: i=1;
	ORIGINATING;
	auth=pass smtp.auth=hlinnaka smtp.mailfrom=hlinnaka@iki.fi
Message-ID: <f621264b-26a6-4b7a-8982-3820b7d6d397@iki.fi>
Date: Wed, 3 Dec 2025 18:56:59 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: Serverside SNI support in libpq
To: Daniel Gustafsson <daniel@yesql.se>
Cc: Dewei Dai <daidewei1970@163.com>, "li.evan.chao"
 <li.evan.chao@gmail.com>, Jacob Champion <jacob.champion@enterprisedb.com>,
 Michael Paquier <michael@paquier.xyz>, Andres Freund <andres@anarazel.de>,
 Pgsql Hackers <pgsql-hackers@lists.postgresql.org>
References: <88986722-5A72-4DEC-8750-BDBF67FF8C01@yesql.se>
 <7E77028B-5A3A-436B-9046-8E9992E9F94A@yesql.se>
 <Z1jeINLtB05YMVOY@paquier.xyz>
 <E51258CD-C7B2-4BB1-AB9C-A3DD2B6592D0@yesql.se>
 <F4222274-15C0-40E4-84FB-8FC1355BB8B2@yesql.se>
 <CAOYmi+mSrV8hRaQkvGDf1Df4cmpv5SeTbTxppyxeonMe6MW8nA@mail.gmail.com>
 <0BC5B9B1-6503-4563-AAC6-33DEF264AE3F@yesql.se>
 <aa7gx3mychf3m2g67mbslzbxjy3if4enpcflstoa5pol3432x5@ugqz45gsvurq>
 <F585452A-1F69-4658-A7E8-D1273AC663ED@yesql.se>
 <aLT9xVsTVp0j3zWy@paquier.xyz>
 <80F4F8F4-8E4F-4B6F-866B-D837057C1192@yesql.se>
 <D9F6F14D-FCB1-48B5-9CBC-AE89FA0AEF4C@yesql.se>
 <CAOYmi+m2Ks7D4obtXay3y-UNn6CkTNrmr_zWC25vKTdesatafA@mail.gmail.com>
 <0C53C316-C24E-4307-807B-D825CA3F7254@yesql.se>
 <DD77A37A-BFCA-4819-A029-1A41E2443D8E@gmail.com>
 <378D83FA-338C-4EA1-BC60-397BE08D0F01@yesql.se>
 <2025112617144938459246@163.com>
 <0217DEFA-9684-4A77-A005-D30EBEF155C4@yesql.se>
 <afb479af-2fe7-4790-ad11-437a326329b5@iki.fi>
 <5D0E78E0-EA79-480E-ABD3-B1EF0156BF8B@yesql.se>
Content-Language: en-US
From: Heikki Linnakangas <hlinnaka@iki.fi>
In-Reply-To: <5D0E78E0-EA79-480E-ABD3-B1EF0156BF8B@yesql.se>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
List-Id: <pgsql-hackers.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-hackers@lists.postgresql.org>
List-Owner: <mailto:pgsql-hackers-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-hackers>
Archived-At: 
 <https://www.postgresql.org/message-id/f621264b-26a6-4b7a-8982-3820b7d6d397%40iki.fi>
Precedence: bulk

On 03/12/2025 18:52, Daniel Gustafsson wrote:
>> On 3 Dec 2025, at 10:57, Heikki Linnakangas <hlinnaka@iki.fi> wrote:
>> Do we need the GUC? It feels a little confusing that a GUC affects how the settings in the pg_hosts.conf are interepreted. It'd be nice if you could open pg_hosts.conf in an editor, and see at one glance everything that affects this.
> 
> I added the GUC for two reasons; as a way to opt-out of this feature if it's
> something that the admin doesn't want; and as a way to set the SNI mode.  There
> are currently the two modes of STRICT and DEFAULT which affects how incoming
> connections are handled.  The first motivation might be unfounded, and the
> second one could be encoded in a pg_hosts configuration though implicitly
> rather than explicitly.
> 
> Having all the details in pg_hosts.conf is appealing, no disagreement there,
> but it does pose some challenges in the interaction with the postgresql.conf
> GUCS (more later).
> 
>> I propose that there is no GUC. In 'pg_hosts.conf', you can specify a wildcard '*' host that matches anything. You can also specify a "no sni" line which matches connections with no SNI specified. (Or something along those lines, I didn't think too hard about all the interactions).
> 
> So basically reserving a hostname,"no_sni" or something, which indicates that
> it's for non sslsni connections?  That should work, with the parsing rule that
> there can only be one in the file.

Yeah, something like that. And to implement the "strict" mode, you could 
have a "no_sni" line with no cert/key specified.

>> For backwards-compatibility, if you specify a certificate and key in postgresql.conf, they are treated the same as if you had a "*" line in pg_hosts.conf.
> 
> That's a bit trickier though, since the cert/key have a default boot_val so
> they will always be set to something unless the user enables ssl=on and at the
> same time uncomments ssl_cert_file/ssl_key_file and set them to '' before
> proceeding to add configuration in pg_hosts.conf.  This is pretty unintuitive I
> think.  unintuitive.  This backwards comatibility is one of the reasons I kept
> the postgresl.conf values for the default context config.
> 
> I really want to make it possible for anyone who don't want SNI to keep using
> postgresql.conf and get the exact behavior they've always had.  Do you agree
> with that design goal?

Yeah, that's fair.

- Heikki