Re: Serverside SNI support in libpq

Daniel Gustafsson <daniel@yesql.se>

From: Daniel Gustafsson <daniel@yesql.se>
To: Zsolt Parragi <zsolt.parragi@percona.com>
Cc: Jacob Champion <jacob.champion@enterprisedb.com>, Jelte Fennema-Nio <postgres@jeltef.nl>, Heikki Linnakangas <hlinnaka@iki.fi>, Dewei Dai <daidewei1970@163.com>, "li.evan.chao" <li.evan.chao@gmail.com>, Michael Paquier <michael@paquier.xyz>, Andres Freund <andres@anarazel.de>, Pgsql Hackers <pgsql-hackers@lists.postgresql.org>
Date: 2026-03-16T14:24:28Z
Lists: pgsql-hackers

Attachments

The attached rebase brings a few more tests by Jacob for ensuring that a) CA's
entirely replace when a host config is matched; b) that CRL's work as intended
for certificates configured in pg_hosts.conf; and c) ssl_sni and TLS init
aren't configured at the same time.

This concludes all TODOs in the code, unless there are review objections I plan
to go ahead with this version within a few days.

--
Daniel Gustafsson

Commits

Same data as JSON: GET /api/v1/messages/:b64id/commits the thread's linked commits as JSON, with link sources. API reference →
  1. Declare load_hosts() as returning HostsFileLoadResult.

  2. ssl: Skip passphrase reload tests in EXEC_BACKEND builds

  3. ssl: Serverside SNI support for libpq

  4. ssl: Add tests for client CA