Re: Serverside SNI support in libpq

Jacob Champion <jacob.champion@enterprisedb.com>

From: Jacob Champion <jacob.champion@enterprisedb.com>
To: Daniel Gustafsson <daniel@yesql.se>
Cc: Zsolt Parragi <zsolt.parragi@percona.com>, Jelte Fennema-Nio <postgres@jeltef.nl>, Heikki Linnakangas <hlinnaka@iki.fi>, Dewei Dai <daidewei1970@163.com>, "li.evan.chao" <li.evan.chao@gmail.com>, Michael Paquier <michael@paquier.xyz>, Andres Freund <andres@anarazel.de>, Pgsql Hackers <pgsql-hackers@lists.postgresql.org>
Date: 2026-03-18T16:14:02Z
Lists: pgsql-hackers
On Wed, Mar 18, 2026 at 7:25 AM Daniel Gustafsson <daniel@yesql.se> wrote:
> The longfin issue is a bit more odd, I can reproduce it on macOS with OpenSSL
> 1.1.1 but nowhere else.  Rather than reporting an SSL error for aborted
> handshake it reports a SYSCALL error.

Do you know yet why the handshake is aborted on macOS, as opposed to a
polite handshake_failure alert?

> The change in the attached diff does fix it for me but I'm
> a bit hesitant to apply something like that, I would be more inclined to the
> change the expected output in the test.  What are your thoughts?

I think that patch might effectively shadow the `else` branch, which
is supposed to be reporting the EOF. (I wouldn't mind a better error
message than "SYSCALL error: EOF detected", but that's not something
this patch did.)

--Jacob



Commits

Same data as JSON: GET /api/v1/messages/:b64id/commits the thread's linked commits as JSON, with link sources. API reference →
  1. Declare load_hosts() as returning HostsFileLoadResult.

  2. ssl: Skip passphrase reload tests in EXEC_BACKEND builds

  3. ssl: Serverside SNI support for libpq

  4. ssl: Add tests for client CA