-
Notifications
You must be signed in to change notification settings - Fork 916
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Set SNI for TSL connections #1088
Conversation
Relevant discussion: #488 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
@rafiss, any chance you can take a look? This PR is hanging approved for some amount of time. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
errors from linting:
Error: ssl_test.go:347:4: this value of err is never used (SA4006)
Error: ssl_test.go:348:4: this value of err is never used (SA4006)
Error: ssl_test.go:392:5: should use !bytes.Equal(startupMessage, []byte{0, 0, 0, 0x8, 0x4, 0xd2, 0x16, 0x2f}) instead (S1004)
9927d34
to
0c4600d
Compare
Thanks for the review, I've fixed mentioned issues |
This allows an SNI-aware proxy to route connections. Patch adds a new connection option (`sslsni`) for opting out of the SNI, to have the same behavior as `libpq` does. See more in `sslsni` sections at <https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-PARAMKEYWORDS>.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thanks for your contribution!
This seems to have broken connections with sslmode=verify-ca. This setting is supposed to ignore the DNS names in the server certificate, but now connections fail with "x509: certificate is valid for x, y, z, not a".
|
This allows an SNI-aware proxy to route connections. Patch adds a new
connection option (
sslsni
) for opting out of the SNI, to have the samebehavior as
libpq
does. See more insslsni
sections athttps://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-PARAMKEYWORDS.