> On 2 Apr 2023, at 18:33, Tom Lane <tgl@sss.pgh.pa.us> wrote:
>
> Greg Stark <stark@mit.edu> writes:
>> My question is a bit different. How does this interact with TLS SNI.
>> Can you just use the SNI name given in the TLS handshake? Should the
>> server require them to match? Is there any value to having a separate
>> source for this info? Is something similar available in GSSAPI
>> authentication?
>
> The idea that I was thinking about was to not hard-wire sending the host
> string exactly, but instead to invent another connection parameter along
> the line of "send_host = name-to-send". This parallels the situation in
> HTTP where the "Host" header doesn't necessarily have to match the actual
> transport target.
Since we already have sslsni in libpq since v14, any SNI being well understood
and standardized, do we really want to invent our own parallel scheme?
Alternatively, the protocol in the.PROXY patch by Magnus [0] which stalled a
few CF's ago has similar functionality for the client to pass a hostname.
--
Daniel Gustafsson
[0] https://www.postgresql.org/message-id/flat/CABUevExJ0ifpUEiX4uOREy0s2kHBrBrb=pXLEHhpMTR1vVR1XA@mail.gmail.com
