Hi,
Back in November 2013 someone suggested adding the SNI header in the TLS handshake for connections initiated by libpq using OpenSQL. There was no usecase at that point.
However, right now there is one:
I'd like to write a small "PostGreSQL router" that routes connections to a specific cluster based on the requested SNI. Maybe it is even possible to just integrate this as an option in HaProxy, didn't look how difficult it would be to do it there.
The whole point is for using PostGreSQL inside containers and being able to connect to it from anywhere. For example if you are using Docker, you could expose the default PostGreSQL port on Dockers ingress routing mesh and let it go to the router application. Then the router application will read the SNI headers and forward the connection to the appropriate container via the Docker Overlay network (and maybe optionally even do "ssl offload" at this point since the Overlay network is already encrypted).
If there's nobody against this, I can try to do the patch myself, doesn't look too difficult (I expect it to simply work by calling SSL_set_tlsext_host_name(SSL_context, PQhost(conn))) somewhere in initialize_SSL in fe-secure-openssl.c.
Thanks,
Florin.
