SSL SNI
Peter Eisentraut <peter.eisentraut@enterprisedb.com>
From: Peter Eisentraut <peter.eisentraut@enterprisedb.com>
To: pgsql-hackers <pgsql-hackers@postgresql.org>
Date: 2021-02-15T14:09:47Z
Lists: pgsql-hackers
Attachments
- 0001-Set-SNI-for-SSL-connections-from-the-client.patch (text/plain) patch 0001
A customer asked about including Server Name Indication (SNI) into the SSL connection from the client, so they can use an SSL-aware proxy to route connections. There was a thread a few years ago where this was briefly discussed but no patch appeared.[0] I whipped up a quick patch and it did seem to do the job, so I figured I'd share it here. The question I had was whether this should be an optional behavior, or conversely a behavior that can be turned off, or whether it should just be turned on all the time. Technically, it seems pretty harmless. It adds another field to the TLS handshake, and if the server is not interested in it, it just gets ignored. The Wikipedia page[1] discusses some privacy concerns in the context of web browsing, but it seems there is no principled solution to those. The relevant RFC[2] "recommends" that SNI is used for all applicable TLS connections. [0]: https://www.postgresql.org/message-id/flat/CAPPwrB_tsOw8MtVaA_DFyOFRY2ohNdvMnLoA_JRr3yB67Rggmg%40mail.gmail.com [1]: https://en.wikipedia.org/wiki/Server_Name_Indication [2]: https://tools.ietf.org/html/rfc6066#section-3
Commits
-
libpq: Fix SNI host handling
- 37e1cce4ddf0 14.0 landed
-
libpq: Set Server Name Indication (SNI) for SSL connections
- 5c55dc8b4733 14.0 landed