Re: Serverside SNI support in libpq

Daniel Gustafsson <daniel@yesql.se>

From: Daniel Gustafsson <daniel@yesql.se>
To: Tom Lane <tgl@sss.pgh.pa.us>
Cc: Jacob Champion <jacob.champion@enterprisedb.com>, Zsolt Parragi <zsolt.parragi@percona.com>, Jelte Fennema-Nio <postgres@jeltef.nl>, Heikki Linnakangas <hlinnaka@iki.fi>, Dewei Dai <daidewei1970@163.com>, "li.evan.chao" <li.evan.chao@gmail.com>, Michael Paquier <michael@paquier.xyz>, Andres Freund <andres@anarazel.de>, Pgsql Hackers <pgsql-hackers@lists.postgresql.org>
Date: 2026-03-18T14:58:02Z
Lists: pgsql-hackers
> On 18 Mar 2026, at 15:33, Tom Lane <tgl@sss.pgh.pa.us> wrote:
> 
> Daniel Gustafsson <daniel@yesql.se> writes:
>> The longfin issue is a bit more odd, I can reproduce it on macOS with OpenSSL
>> 1.1.1 but nowhere else.  Rather than reporting an SSL error for aborted
>> handshake it reports a SYSCALL error.
> 
> IIRC longfin is using some fairly old hand-built openssl installation.

Thanks for confirming, that matches with my local repro which required building
1.1.1 on macOS. Did you build with Apple clang or a a stock clang/gcc?

> Maybe I should just update it.  Do you want to hold off and see if
> that changes anything?

Let's wait a little while I research little more.  I can reproduce it locally
but it's better with two independent cases.

--
Daniel Gustafsson




Commits

Same data as JSON: GET /api/v1/messages/:b64id/commits the thread's linked commits as JSON, with link sources. API reference →
  1. Declare load_hosts() as returning HostsFileLoadResult.

  2. ssl: Skip passphrase reload tests in EXEC_BACKEND builds

  3. ssl: Serverside SNI support for libpq

  4. ssl: Add tests for client CA