Re: Serverside SNI support in libpq

Daniel Gustafsson <daniel@yesql.se>

From: Daniel Gustafsson <daniel@yesql.se>
To: Jelte Fennema-Nio <postgres@jeltef.nl>
Cc: Heikki Linnakangas <hlinnaka@iki.fi>, Dewei Dai <daidewei1970@163.com>, "li.evan.chao" <li.evan.chao@gmail.com>, Jacob Champion <jacob.champion@enterprisedb.com>, Michael Paquier <michael@paquier.xyz>, Andres Freund <andres@anarazel.de>, Pgsql Hackers <pgsql-hackers@lists.postgresql.org>
Date: 2025-12-03T23:27:53Z
Lists: pgsql-hackers

Commits

Same data as JSON: GET /api/v1/messages/:b64id/commits the thread's linked commits as JSON, with link sources. API reference →
  1. ssl: Serverside SNI support for libpq

  2. ssl: Add tests for client CA

> On 3 Dec 2025, at 22:27, Jelte Fennema-Nio <postgres@jeltef.nl> wrote:
> 
> On Wed, 3 Dec 2025 at 17:57, Heikki Linnakangas <hlinnaka@iki.fi> wrote:
>>> I really want to make it possible for anyone who don't want SNI to keep using
>>> postgresql.conf and get the exact behavior they've always had.  Do you agree
>>> with that design goal?
>> 
>> Yeah, that's fair.
> 
> What if we make it so that if a pg_hosts.conf file exists, then the
> ssl_cert_file/ssl_key_file configs are ignored? And by default initdb
> would not create a file (or it would, but with the same default
> settings that we have now).

Maybe.  I'm not a big fan of magic-file-exist configurations but..  I'm trying
out a few different options to see which seems the most reasonable, and this is
for one of them.

> Basically it would be:
> 1. If the file does not exist, use the "off" behaviour
> 2. If the file exists, use the "strict" behaviour

It will really be "strict" *or* "default" based on whether or not '*' is set as
a wildcard hostname (which can be argued is just a version of strict).

--
Daniel Gustafsson