Re: SSL SNI
Matthias van de Meent <boekewurm+postgres@gmail.com>
From: Matthias van de Meent <boekewurm+postgres@gmail.com>
To: Peter Eisentraut <peter.eisentraut@enterprisedb.com>
Cc: pgsql-hackers <pgsql-hackers@postgresql.org>
Date: 2021-02-15T14:28:23Z
Lists: pgsql-hackers
On Mon, 15 Feb 2021 at 15:09, Peter Eisentraut <peter.eisentraut@enterprisedb.com> wrote: > > A customer asked about including Server Name Indication (SNI) into the > SSL connection from the client, so they can use an SSL-aware proxy to > route connections. There was a thread a few years ago where this was > briefly discussed but no patch appeared.[0] I whipped up a quick patch > and it did seem to do the job, so I figured I'd share it here. The same topic of SSL-aware proxying based on SNI was mentioned in a more recent thread here [0]. The state of that patch is unclear, though. Other than that, this feature seems useful. + /* + * Set Server Name Indication (SNI), but not if it's a literal IP address. + * (RFC 6066) + */ + if (!((conn->pghost[0] >= '0' && conn->pghost[0] <= '9') || strchr(conn->pghost, ':'))) '1one.example.com' is a valid hostname, but would fail this trivial test, and thus would not have SNI enabled on its connection. With regards, Matthias van de Meent [0] https://www.postgresql.org/message-id/flat/37846a5e-bb5e-0c4f-3ee8-54fb4bd02fab%40gmx.de
Commits
-
libpq: Fix SNI host handling
- 37e1cce4ddf0 14.0 landed
-
libpq: Set Server Name Indication (SNI) for SSL connections
- 5c55dc8b4733 14.0 landed