Re: Serverside SNI support in libpq

Daniel Gustafsson <daniel@yesql.se>

From: Daniel Gustafsson <daniel@yesql.se>
To: Tom Lane <tgl@sss.pgh.pa.us>
Cc: Jacob Champion <jacob.champion@enterprisedb.com>, Zsolt Parragi <zsolt.parragi@percona.com>, Jelte Fennema-Nio <postgres@jeltef.nl>, Heikki Linnakangas <hlinnaka@iki.fi>, Dewei Dai <daidewei1970@163.com>, "li.evan.chao" <li.evan.chao@gmail.com>, Michael Paquier <michael@paquier.xyz>, Andres Freund <andres@anarazel.de>, Pgsql Hackers <pgsql-hackers@lists.postgresql.org>
Date: 2026-03-18T17:09:22Z
Lists: pgsql-hackers
> On 18 Mar 2026, at 16:35, Tom Lane <tgl@sss.pgh.pa.us> wrote:
> 
> Daniel Gustafsson <daniel@yesql.se> writes:
>> On 18 Mar 2026, at 15:33, Tom Lane <tgl@sss.pgh.pa.us> wrote:
>>> IIRC longfin is using some fairly old hand-built openssl installation.
> 
>> Thanks for confirming, that matches with my local repro which required building
>> 1.1.1 on macOS. Did you build with Apple clang or a a stock clang/gcc?
> 
> It's been awhile, but I can't imagine that I didn't use Apple's
> compiler of the time.  [ Checks longfin's host... ]  The files
> in that openssl tree are all dated Nov 20 2018, so it's probably
> due for a refresh in any case.

I've done more testing now and I can only reproduce this with downgraded
versions of OpenSSL 1.1.1, when running the latest 1.1.1x the error goes away
and the error is reported as expected.  Can you try to upgrade your machine,
which I assume isn't running bleeding edge 1.1.1 by the sounds of it.

--
Daniel Gustafsson




Commits

Same data as JSON: GET /api/v1/messages/:b64id/commits the thread's linked commits as JSON, with link sources. API reference →
  1. Declare load_hosts() as returning HostsFileLoadResult.

  2. ssl: Skip passphrase reload tests in EXEC_BACKEND builds

  3. ssl: Serverside SNI support for libpq

  4. ssl: Add tests for client CA