Re: Serverside SNI support in libpq
Jelte Fennema-Nio <postgres@jeltef.nl>
From: Jelte Fennema-Nio <postgres@jeltef.nl>
To: Heikki Linnakangas <hlinnaka@iki.fi>
Cc: Daniel Gustafsson <daniel@yesql.se>, Dewei Dai <daidewei1970@163.com>, "li.evan.chao" <li.evan.chao@gmail.com>,
Jacob Champion <jacob.champion@enterprisedb.com>, Michael Paquier <michael@paquier.xyz>, Andres Freund <andres@anarazel.de>, Pgsql Hackers <pgsql-hackers@lists.postgresql.org>
Date: 2025-12-03T21:27:43Z
Lists: pgsql-hackers
Commits
Same data as JSON:
GET /api/v1/messages/:b64id/commits
the thread's linked commits as JSON, with link sources.
API reference →
-
ssl: Serverside SNI support for libpq
- 4f433025f666 19 (unreleased) landed
-
ssl: Add tests for client CA
- 25e568ba7ce7 19 (unreleased) landed
On Wed, 3 Dec 2025 at 17:57, Heikki Linnakangas <hlinnaka@iki.fi> wrote: > > I really want to make it possible for anyone who don't want SNI to keep using > > postgresql.conf and get the exact behavior they've always had. Do you agree > > with that design goal? > > Yeah, that's fair. What if we make it so that if a pg_hosts.conf file exists, then the ssl_cert_file/ssl_key_file configs are ignored? And by default initdb would not create a file (or it would, but with the same default settings that we have now). Then we don't need the new GUC. Basically it would be: 1. If the file does not exist, use the "off" behaviour 2. If the file exists, use the "strict" behaviour