kelvich
commented
1 year ago Relevant discussion: https://github.com/lib/pq/issues/488
libpq sets SNI since v14
Closed kelvich closed 1 year ago
kelvich
commented
1 year ago Relevant discussion: https://github.com/lib/pq/issues/488
libpq sets SNI since v14
kelvich
commented
1 year ago @rafiss, any chance you can take a look? This PR is hanging approved for some amount of time.
kelvich
commented
1 year ago Thanks for the review, I've fixed mentioned issues
pschultz
commented
1 year ago This seems to have broken connections with sslmode=verify-ca. This setting is supposed to ignore the DNS names in the server certificate, but now connections fail with "x509: certificate is valid for x, y, z, not a".
From what I can tell, to preserve backward compatibility tlsConf.ServerName should not be assigned if sslsni is absent and sslmode is anything other than verify-full.
cbandy
commented
1 year ago @pschultz That may be #1106.
This allows an SNI-aware proxy to route connections. Patch adds a new connection option (
sslsni) for opting out of the SNI, to have the same behavior aslibpqdoes. See more insslsnisections at https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-PARAMKEYWORDS.