Re: Serverside SNI support in libpq
Daniel Gustafsson <daniel@yesql.se>
From: Daniel Gustafsson <daniel@yesql.se>
To: Jelte Fennema-Nio <postgres@jeltef.nl>
Cc: Heikki Linnakangas <hlinnaka@iki.fi>,
Dewei Dai <daidewei1970@163.com>,
"li.evan.chao" <li.evan.chao@gmail.com>,
Jacob Champion <jacob.champion@enterprisedb.com>,
Michael Paquier <michael@paquier.xyz>,
Andres Freund <andres@anarazel.de>,
Pgsql Hackers <pgsql-hackers@lists.postgresql.org>
Date: 2025-12-03T23:27:53Z
Lists: pgsql-hackers
Commits
Same data as JSON:
GET /api/v1/messages/:b64id/commits
the thread's linked commits as JSON, with link sources.
API reference →
-
ssl: Serverside SNI support for libpq
- 4f433025f666 19 (unreleased) landed
-
ssl: Add tests for client CA
- 25e568ba7ce7 19 (unreleased) landed
> On 3 Dec 2025, at 22:27, Jelte Fennema-Nio <postgres@jeltef.nl> wrote: > > On Wed, 3 Dec 2025 at 17:57, Heikki Linnakangas <hlinnaka@iki.fi> wrote: >>> I really want to make it possible for anyone who don't want SNI to keep using >>> postgresql.conf and get the exact behavior they've always had. Do you agree >>> with that design goal? >> >> Yeah, that's fair. > > What if we make it so that if a pg_hosts.conf file exists, then the > ssl_cert_file/ssl_key_file configs are ignored? And by default initdb > would not create a file (or it would, but with the same default > settings that we have now). Maybe. I'm not a big fan of magic-file-exist configurations but.. I'm trying out a few different options to see which seems the most reasonable, and this is for one of them. > Basically it would be: > 1. If the file does not exist, use the "off" behaviour > 2. If the file exists, use the "strict" behaviour It will really be "strict" *or* "default" based on whether or not '*' is set as a wildcard hostname (which can be argued is just a version of strict). -- Daniel Gustafsson