Re: Introducing SNI in TLS handshake for SSL connections

On 12/11/18 3:52 PM, Pablo Iranzo Gómez wrote:> I came to this old
thread while trying to figure out on how to setup
> postgres replication behind OpenShift/Kubernetes behind a route (which
> only forwards 80 or 443 traffic), but could work if SNI is supported on
> the client using it.
>
> I haven't found any further follow-up on this, but based on the number
> of posts and questions on many sites on accessing postgres on
> OpenShift/Kubernetes it could be something good to have supported.
>
> Any further information or plans?

I am pretty sure nobody is working on this.

It seems like it would be easy to implement (basically just call
SSL_set_tlsext_host_name() with the right hostname) with the only issue
being that we may need to add a new connection string parameter[1]
because I doubt all users would want SNI enabled by default since
PostgreSQL itself cannot do anything useful with the hostname, only some
kind of TLS proxy can. Hopefully there wont be much bike shedding about
the new connection parameter. :)

Feel free to write a patch if you have the time and submit it to the
next commitfest[2] for review.

Notes:

1. List of current options:
https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-PARAMKEYWORDS
2. https://wiki.postgresql.org/wiki/CommitFest

Andreas