Re: Serverside SNI support in libpq

Daniel Gustafsson <daniel@yesql.se>

From: Daniel Gustafsson <daniel@yesql.se>
To: Jacob Champion <jacob.champion@enterprisedb.com>
Cc: Pgsql Hackers <pgsql-hackers@lists.postgresql.org>
Date: 2024-12-03T13:58:01Z
Lists: pgsql-hackers

Commits

Same data as JSON: GET /api/v1/messages/:b64id/commits the thread's linked commits as JSON, with link sources. API reference →
  1. ssl: Serverside SNI support for libpq

  2. ssl: Add tests for client CA

Attachments

> On 25 Jul 2024, at 19:51, Jacob Champion <jacob.champion@enterprisedb.com> wrote:

The attached rebased version adds proper list reset, a couple of bugfixes
around cert loading and the ability to set ssl_passhprase_command (and reload)
in the hosts file.

> Matt Caswell appears to be convinced that SSL_set_SSL_CTX() is
> fundamentally broken. So it might just be FUD, but I'm wondering if we
> should instead be using the SSL_ flavors of the API to reassign the
> certificate chain on the SSL pointer directly, inside the callback,
> instead of trying to set them indirectly via the SSL_CTX_ API.

Maybe, but I would feel better about changing if I can could reproduce the
issues (see below).

> Have you seen any weird behavior like this on your end? I'm starting
> to doubt my test setup...

I've not been able to reproduce any behaviour like what you describe.

> On the plus side, I now have a handful of
> debugging patches for a future commitfest.

Do you have them handy for running tests on this version?

--
Daniel Gustafsson