Re: SSL SNI
Peter Eisentraut <peter.eisentraut@enterprisedb.com>
From: Peter Eisentraut <peter.eisentraut@enterprisedb.com>
To: Jacob Champion <pchampion@vmware.com>,
"pgsql-hackers@postgresql.org" <pgsql-hackers@postgresql.org>
Date: 2021-02-25T16:00:25Z
Lists: pgsql-hackers
On 17.02.21 00:01, Jacob Champion wrote:
> On Mon, 2021-02-15 at 15:09 +0100, Peter Eisentraut wrote:
>> The question I had was whether this should be an optional behavior, or
>> conversely a behavior that can be turned off, or whether it should just
>> be turned on all the time.
> Personally I think there should be a toggle, so that any users for whom
> hostnames are potentially sensitive don't have to make that information
> available on the wire. Opt-in, to avoid having any new information
> disclosure after a version upgrade?
Just as additional data points, it has come to my attention that both
the Go driver ("lib/pq") and the JDBC environment already send SNI
automatically. (In the case of JDBC this is done by the Java system
libraries, not the JDBC driver implementation.)
Commits
-
libpq: Fix SNI host handling
- 37e1cce4ddf0 14.0 landed
-
libpq: Set Server Name Indication (SNI) for SSL connections
- 5c55dc8b4733 14.0 landed