libpq: Set Server Name Indication (SNI) for SSL connections

Enterprise / PostgreSQL - Peter Eisentraut [eisentraut.org] - 7 April 2021 13:11 UTC

By default, have libpq set the TLS extension "Server Name Indication" (SNI).

This allows an SNI-aware SSL proxy to route connections. (This requires a proxy that is aware of the PostgreSQL protocol, not just any SSL proxy.)

In the future, this could also allow the server to use different SSL certificates for different host specifications. (That would require new server functionality. This would be the client-side functionality for that.)

Since SNI makes the host name appear in cleartext in the network traffic, this might be undesirable in some cases. Therefore, also add a libpq connection option "sslsni" to turn it off.

Discussion: https://www.postgresql.org/message-id/flat/7289d5eb-62a5-a732-c3b9-438cee2cb709%40enterprisedb.com

5c55dc8b47 libpq: Set Server Name Indication (SNI) for SSL connections
contrib/postgres_fdw/expected/postgres_fdw.out | 2 +-
doc/src/sgml/libpq.sgml | 31 ++++++++++++++++++++++++++
src/interfaces/libpq/fe-connect.c | 6 +++++
src/interfaces/libpq/fe-secure-openssl.c | 22 ++++++++++++++++++
src/interfaces/libpq/libpq-int.h | 1 +
5 files changed, 61 insertions(+), 1 deletion(-)

Upstream: git.postgresql.org


  • Share