| From: | Peter Eisentraut <peter(dot)eisentraut(at)enterprisedb(dot)com> |
|---|---|
| To: | pgsql-hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | SSL SNI |
| Date: | 2021-02-15 14:09:47 |
| Message-ID: | 7289d5eb-62a5-a732-c3b9-438cee2cb709@enterprisedb.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
A customer asked about including Server Name Indication (SNI) into the
SSL connection from the client, so they can use an SSL-aware proxy to
route connections. There was a thread a few years ago where this was
briefly discussed but no patch appeared.[0] I whipped up a quick patch
and it did seem to do the job, so I figured I'd share it here.
The question I had was whether this should be an optional behavior, or
conversely a behavior that can be turned off, or whether it should just
be turned on all the time.
Technically, it seems pretty harmless. It adds another field to the TLS
handshake, and if the server is not interested in it, it just gets ignored.
The Wikipedia page[1] discusses some privacy concerns in the context of
web browsing, but it seems there is no principled solution to those.
The relevant RFC[2] "recommends" that SNI is used for all applicable TLS
connections.
[0]:
https://www.postgresql.org/message-id/flat/CAPPwrB_tsOw8MtVaA_DFyOFRY2ohNdvMnLoA_JRr3yB67Rggmg%40mail.gmail.com
[1]: https://en.wikipedia.org/wiki/Server_Name_Indication
[2]: https://tools.ietf.org/html/rfc6066#section-3
| Attachment | Content-Type | Size |
|---|---|---|
| 0001-Set-SNI-for-SSL-connections-from-the-client.patch | text/plain | 1.4 KB |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | vignesh C | 2021-02-15 14:20:09 | Re: logical replication seems broken |
| Previous Message | Ranier Vilela | 2021-02-15 14:01:39 | Re: Possible dereference after null check (src/backend/executor/ExecUtils.c) |