Re: Serverside SNI support in libpq

Daniel Gustafsson <daniel@yesql.se>

From: Daniel Gustafsson <daniel@yesql.se>
To: Jacob Champion <jacob.champion@enterprisedb.com>
Cc: Zsolt Parragi <zsolt.parragi@percona.com>, Jelte Fennema-Nio <postgres@jeltef.nl>, Heikki Linnakangas <hlinnaka@iki.fi>, Dewei Dai <daidewei1970@163.com>, "li.evan.chao" <li.evan.chao@gmail.com>, Michael Paquier <michael@paquier.xyz>, Andres Freund <andres@anarazel.de>, Pgsql Hackers <pgsql-hackers@lists.postgresql.org>
Date: 2026-03-18T14:25:13Z
Lists: pgsql-hackers

Attachments

> On 18 Mar 2026, at 14:01, Jacob Champion <jacob.champion@enterprisedb.com> wrote:
> 
> On Wed, Mar 18, 2026 at 5:19 AM Daniel Gustafsson <daniel@yesql.se> wrote:
>> longfin has so far reported a test failure which I am looking into.
> 
> I took a quick look at culicidae and I think that's just due to the
> use of EXEC_BACKEND. Rather than $windows_os the SKIP logic should
> probably use something like 001_server's $exec_backend.

That's a bit embarrassing, I spent some time investigating passphrase reloading
under EXEC_BACKEND as part of this patchset..

The longfin issue is a bit more odd, I can reproduce it on macOS with OpenSSL
1.1.1 but nowhere else.  Rather than reporting an SSL error for aborted
handshake it reports a SYSCALL error.  Using SYSCALL error for when the server
close the connection abruptly is documented, but not really this case where it
does so with no error codes at all (which given OpenSSL documentation doesn't
really say much..).  The change in the attached diff does fix it for me but I'm
a bit hesitant to apply something like that, I would be more inclined to the
change the expected output in the test.  What are your thoughts?

--
Daniel Gustafsson

Commits

Same data as JSON: GET /api/v1/messages/:b64id/commits the thread's linked commits as JSON, with link sources. API reference →
  1. Declare load_hosts() as returning HostsFileLoadResult.

  2. ssl: Skip passphrase reload tests in EXEC_BACKEND builds

  3. ssl: Serverside SNI support for libpq

  4. ssl: Add tests for client CA