Re: SSL SNI
Jacob Champion <pchampion@vmware.com>
From: Jacob Champion <pchampion@vmware.com>
To: "peter.eisentraut@enterprisedb.com" <peter.eisentraut@enterprisedb.com>, "pgsql-hackers@postgresql.org" <pgsql-hackers@postgresql.org>
Date: 2021-02-16T23:01:36Z
Lists: pgsql-hackers
On Mon, 2021-02-15 at 15:09 +0100, Peter Eisentraut wrote: > The question I had was whether this should be an optional behavior, or > conversely a behavior that can be turned off, or whether it should just > be turned on all the time. Personally I think there should be a toggle, so that any users for whom hostnames are potentially sensitive don't have to make that information available on the wire. Opt-in, to avoid having any new information disclosure after a version upgrade? > The Wikipedia page[1] discusses some privacy concerns in the context of > web browsing, but it seems there is no principled solution to those. I think Encrypted Client Hello is the new-and-improved Encrypted SNI, and it's on the very bleeding edge. You'd need to load a public key into the client using some out-of-band communication -- e.g. browsers would use DNS-over-TLS, but it might not make sense for a Postgres client to use that same system. NSS will probably be receiving any final implementation before OpenSSL, if I had to guess, since Mozilla is driving pieces of the implementation. --Jacob
Commits
-
libpq: Fix SNI host handling
- 37e1cce4ddf0 14.0 landed
-
libpq: Set Server Name Indication (SNI) for SSL connections
- 5c55dc8b4733 14.0 landed