Request a Demo
Home   >   mailing lists

Re: Serverside SNI support in libpq - Mailing list pgsql-hackers

From Zsolt Parragi
Subject Re: Serverside SNI support in libpq
Date
Msg-id CAN4CZFOFAgfyjO7MtCajmtErL1uSzDrSEmxGHOwMFYY3J4Qp+A@mail.gmail.com
Whole thread
In response to Re: Serverside SNI support in libpq  (Daniel Gustafsson <daniel@yesql.se>)
Responses Re: Serverside SNI support in libpq
List pgsql-hackers
Tree view 
> I'm a bit surprised that the .dat
> file processing doesn't error out keys that aren't part of the DSL for defining
> GUCs but clearly it doesn't. Fixed.

This also surprised me, I wrote a patch to improve this [1].

I only have a few mostly stylistic comments, otherwise the patch looks good.

+ if (isServerStart)
+ {
+ if (host->ssl_passphrase_cmd && host->ssl_passphrase_cmd[0])
+ {
+ SSL_CTX_set_default_passwd_cb(ctx, ssl_external_passwd_cb);
+ SSL_CTX_set_default_passwd_cb_userdata(ctx, host->ssl_passphrase_cmd);
+ }
+ }
+ else
+ {
+ if (host->ssl_passphrase_reload && host->ssl_passphrase_cmd[0])
+ {
+ SSL_CTX_set_default_passwd_cb(ctx, ssl_external_passwd_cb);
+ SSL_CTX_set_default_passwd_cb_userdata(ctx, host->ssl_passphrase_cmd);
+ }

The start path checks ssl_passphrase_cmd for null, the reload doesn't.


+ if (openssl_tls_init_hook != default_openssl_tls_init)
+ {
+ ereport(WARNING,
+ errcode(ERRCODE_CONFIG_FILE_ERROR),
+ errmsg("SNI is enabled; installed TLS init hook will be ignored"),

Won't this spam the log with one warning per hosts line? It might be
okay/acceptable, but there isn't anything line specific in this
warning.


+ * file.  The list is returned in the hosts parameter. The function will return
+ * a HostsFileLoadResult value detailing the result of the operation.  When
+ * the hosts configuration failed to load, the err_msg variable may have more
+ * information in case it was passed as non-NULL.
+ */
+int
+load_hosts(List **hosts, char **err_msg)

Comment says HostsFileLoadResult, but the return type is int.


+typedef enum HostsFileLoad
+{
+ HOSTSFILE_LOAD_OK = 0,
+ HOSTSFILE_LOAD_FAILED,
+ HOSTSFILE_EMPTY,
+ HOSTSFILE_MISSING,
+ HOSTSFILE_DISABLED,
+} HostsFileLoadResult;

Is the HostsFileLoad vs HostsFileLoadResult difference intentional?


+#ifdef USE_ASSERT_CHECKING
+ if (res == HOSTSFILE_DISABLED)
+ Assert(ssl_sni == false);
+#endif

Do we need this ifdef?


And I also found a typo (distncnt):

+ /*
+ * At this point we know we have a configuration with a list
+ * of distnct 1..n hostnames for literal string matching with
+ * the SNI extension from the user.


[1]: https://www.postgresql.org/message-id/CAN4CZFP%3D3xUoXb9jpn5OWwicg%2Brbyrca8-tVmgJsQAa4%2BOExkw%40mail.gmail.com

pgsql-hackers by date:

Previous
From: Zsolt Parragi
Date:
Subject: Re: Stack-based tracking of per-node WAL/buffer usage
Next
From: Zsolt Parragi
Date:
Subject: Re: [oauth] Stabilize the libpq-oauth ABI (and allow alternative implementations?)