Request a Demo
Home   >   mailing lists

Re: Serverside SNI support in libpq - Mailing list pgsql-hackers

From Heikki Linnakangas
Subject Re: Serverside SNI support in libpq
Date
Msg-id f621264b-26a6-4b7a-8982-3820b7d6d397@iki.fi
Whole thread Raw
In response to Re: Serverside SNI support in libpq  (Daniel Gustafsson <daniel@yesql.se>)
Responses Re: Serverside SNI support in libpq
List pgsql-hackers
Tree view 
On 03/12/2025 18:52, Daniel Gustafsson wrote:
>> On 3 Dec 2025, at 10:57, Heikki Linnakangas <hlinnaka@iki.fi> wrote:
>> Do we need the GUC? It feels a little confusing that a GUC affects how the settings in the pg_hosts.conf are
interepreted.It'd be nice if you could open pg_hosts.conf in an editor, and see at one glance everything that affects
this.
> 
> I added the GUC for two reasons; as a way to opt-out of this feature if it's
> something that the admin doesn't want; and as a way to set the SNI mode.  There
> are currently the two modes of STRICT and DEFAULT which affects how incoming
> connections are handled.  The first motivation might be unfounded, and the
> second one could be encoded in a pg_hosts configuration though implicitly
> rather than explicitly.
> 
> Having all the details in pg_hosts.conf is appealing, no disagreement there,
> but it does pose some challenges in the interaction with the postgresql.conf
> GUCS (more later).
> 
>> I propose that there is no GUC. In 'pg_hosts.conf', you can specify a wildcard '*' host that matches anything. You
canalso specify a "no sni" line which matches connections with no SNI specified. (Or something along those lines, I
didn'tthink too hard about all the interactions).
 
> 
> So basically reserving a hostname,"no_sni" or something, which indicates that
> it's for non sslsni connections?  That should work, with the parsing rule that
> there can only be one in the file.

Yeah, something like that. And to implement the "strict" mode, you could 
have a "no_sni" line with no cert/key specified.

>> For backwards-compatibility, if you specify a certificate and key in postgresql.conf, they are treated the same as
ifyou had a "*" line in pg_hosts.conf.
 
> 
> That's a bit trickier though, since the cert/key have a default boot_val so
> they will always be set to something unless the user enables ssl=on and at the
> same time uncomments ssl_cert_file/ssl_key_file and set them to '' before
> proceeding to add configuration in pg_hosts.conf.  This is pretty unintuitive I
> think.  unintuitive.  This backwards comatibility is one of the reasons I kept
> the postgresl.conf values for the default context config.
> 
> I really want to make it possible for anyone who don't want SNI to keep using
> postgresql.conf and get the exact behavior they've always had.  Do you agree
> with that design goal?

Yeah, that's fair.

- Heikki

pgsql-hackers by date:

Previous
From: Nathan Bossart
Date:
Subject: Re: Use func(void) for functions with no parameters
Next
From: Nathan Bossart
Date:
Subject: Re: [PATCH] Add enable_copy_program GUC to control COPY PROGRAM