pgsql: libpq: Set Server Name Indication (SNI) for SSL connections

From: Peter Eisentraut <peter(at)eisentraut(dot)org>
To: pgsql-committers(at)lists(dot)postgresql(dot)org
Subject: pgsql: libpq: Set Server Name Indication (SNI) for SSL connections
Date: 2021-04-07 13:17:14
Message-ID: E1lU83W-0007gu-Am@gemulon.postgresql.org
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-committers

libpq: Set Server Name Indication (SNI) for SSL connections

By default, have libpq set the TLS extension "Server Name Indication" (SNI).

This allows an SNI-aware SSL proxy to route connections. (This
requires a proxy that is aware of the PostgreSQL protocol, not just
any SSL proxy.)

In the future, this could also allow the server to use different SSL
certificates for different host specifications. (That would require
new server functionality. This would be the client-side functionality
for that.)

Since SNI makes the host name appear in cleartext in the network
traffic, this might be undesirable in some cases. Therefore, also add
a libpq connection option "sslsni" to turn it off.

Discussion: https://www.postgresql.org/message-id/flat/7289d5eb-62a5-a732-c3b9-438cee2cb709%40enterprisedb.com

Branch
------
master

Details
-------
https://git.postgresql.org/pg/commitdiff/5c55dc8b47338e72a4e598c155d2048d756fd10e

Modified Files
--------------
contrib/postgres_fdw/expected/postgres_fdw.out | 2 +-
doc/src/sgml/libpq.sgml | 31 ++++++++++++++++++++++++++
src/interfaces/libpq/fe-connect.c | 6 +++++
src/interfaces/libpq/fe-secure-openssl.c | 22 ++++++++++++++++++
src/interfaces/libpq/libpq-int.h | 1 +
5 files changed, 61 insertions(+), 1 deletion(-)

Browse pgsql-committers by date

  From Date Subject
Next Message Tomas Vondra 2021-04-07 13:58:55 pgsql: Don't add non-existent pages to bitmap from BRIN
Previous Message Magnus Hagander 2021-04-07 12:25:33 pgsql: Refactor hba_authname