Re: SSL SNI
Peter Eisentraut <peter.eisentraut@enterprisedb.com>
From: Peter Eisentraut <peter.eisentraut@enterprisedb.com>
To: Michael Paquier <michael@paquier.xyz>, Tom Lane <tgl@sss.pgh.pa.us>
Cc: Jacob Champion <pchampion@vmware.com>,
"pgsql-hackers@postgresql.org" <pgsql-hackers@postgresql.org>
Date: 2021-06-08T14:12:44Z
Lists: pgsql-hackers
On 08.06.21 08:54, Michael Paquier wrote: > On Mon, Jun 07, 2021 at 11:34:24AM -0400, Tom Lane wrote: >> Yeah, I'd include the empty-string test just because it's standard >> practice in this area of libpq. Whether those tests are actually >> triggerable in every case is obscure, but ... > > Checking after a NULL string and an empty one is more libpq-ish. > >> Patch looks sane by eyeball, though I didn't test it. > > I did, and I could not break it. > > + SSLerrfree(err); > + SSL_CTX_free(SSL_context); > + return -1; > It seems to me that there is no need to free SSL_context if > SSL_set_tlsext_host_name() fails here, except if you'd like to move > the check for the SNI above SSL_CTX_free() around L1082. There is no > harm as SSL_CTX_free() is a no-op on NULL input. Good point. Committed that way.
Commits
-
libpq: Fix SNI host handling
- 37e1cce4ddf0 14.0 landed
-
libpq: Set Server Name Indication (SNI) for SSL connections
- 5c55dc8b4733 14.0 landed