Re: SSL SNI

Peter Eisentraut <peter.eisentraut@enterprisedb.com>

From: Peter Eisentraut <peter.eisentraut@enterprisedb.com>
To: Jacob Champion <pchampion@vmware.com>, "pgsql-hackers@postgresql.org" <pgsql-hackers@postgresql.org>
Date: 2021-02-25T16:00:25Z
Lists: pgsql-hackers
On 17.02.21 00:01, Jacob Champion wrote:
> On Mon, 2021-02-15 at 15:09 +0100, Peter Eisentraut wrote:
>> The question I had was whether this should be an optional behavior, or
>> conversely a behavior that can be turned off, or whether it should just
>> be turned on all the time.
> Personally I think there should be a toggle, so that any users for whom
> hostnames are potentially sensitive don't have to make that information
> available on the wire. Opt-in, to avoid having any new information
> disclosure after a version upgrade?

Just as additional data points, it has come to my attention that both 
the Go driver ("lib/pq") and the JDBC environment already send SNI 
automatically.  (In the case of JDBC this is done by the Java system 
libraries, not the JDBC driver implementation.)



Commits

  1. libpq: Fix SNI host handling

  2. libpq: Set Server Name Indication (SNI) for SSL connections