Closed kelvich closed 1 year ago
Relevant discussion: https://github.com/lib/pq/issues/488
libpq
sets SNI since v14
@rafiss, any chance you can take a look? This PR is hanging approved for some amount of time.
Thanks for the review, I've fixed mentioned issues
This seems to have broken connections with sslmode=verify-ca. This setting is supposed to ignore the DNS names in the server certificate, but now connections fail with "x509: certificate is valid for x, y, z, not a".
From what I can tell, to preserve backward compatibility tlsConf.ServerName
should not be assigned if sslsni is absent and sslmode is anything other than verify-full.
@pschultz That may be #1106.
This allows an SNI-aware proxy to route connections. Patch adds a new connection option (
sslsni
) for opting out of the SNI, to have the same behavior aslibpq
does. See more insslsni
sections at https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-PARAMKEYWORDS.