作者
digoal
日期
2021-04-08
标签
PostgreSQL , SNI , Server Name Indication , rfc6066
背景
PostgreSQL 14 preview - libpq: 支持 Set Server Name Indication (SNI) for SSL connections
https://tools.ietf.org/html/rfc6066#section-3
https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=5c55dc8b47338e72a4e598c155d2048d756fd10e
```
libpq: Set Server Name Indication (SNI) for SSL connections
author Peter Eisentraut peter@eisentraut.org
Wed, 7 Apr 2021 13:11:41 +0000 (15:11 +0200)
committer Peter Eisentraut peter@eisentraut.org
Wed, 7 Apr 2021 13:11:41 +0000 (15:11 +0200)
commit 5c55dc8b47338e72a4e598c155d2048d756fd10e
tree a530a2724b25e84eebf7ad03b67aeec373f8378b tree
parent c1968426ba3de1fe37848863e35fff30261bf941 commit | diff
libpq: Set Server Name Indication (SNI) for SSL connections
By default, have libpq set the TLS extension "Server Name Indication" (SNI).
This allows an SNI-aware SSL proxy to route connections. (This
requires a proxy that is aware of the PostgreSQL protocol, not just
any SSL proxy.)
In the future, this could also allow the server to use different SSL
certificates for different host specifications. (That would require
new server functionality. This would be the client-side functionality
for that.)
Since SNI makes the host name appear in cleartext in the network
traffic, this might be undesirable in some cases. Therefore, also add
a libpq connection option "sslsni" to turn it off.
Discussion: https://www.postgresql.org/message-id/flat/7289d5eb-62a5-a732-c3b9-438cee2cb709%40enterprisedb.com
```
+HINT: Valid options in this context are: service, passfile, channel_binding, connect_timeout, dbname, host, hostaddr, port, options, application_name, keepalives, keepalives_idle, keepalives_interval, keepalives_count, tcp_user_timeout, sslmode, sslcompression, sslcert, sslkey, sslrootcert, sslcrl, sslcrldir, sslsni, requirepeer, ssl_min_protocol_version, ssl_max_protocol_version, gssencmode, krbsrvname, gsslib, target_session_attrs, use_remote_estimate, fdw_startup_cost, fdw_tuple_cost, extensions, updatable, fetch_size, batch_size, async_capable, keep_connections
+ <varlistentry id="libpq-connect-sslsni" xreflabel="sslsni">
+ <term><literal>sslsni</literal><indexterm><primary>Server Name Indication</primary></indexterm></term>
+ <listitem>
+ <para>
+ By default, libpq sets the TLS extension <quote>Server Name
+ Indication</quote> (SNI) on SSL-enabled connections. See <ulink
+ url="https://tools.ietf.org/html/rfc6066#section-3">RFC 6066</ulink>
+ for details. By setting this parameter to 0, this is turned off.
+ </para>
+
+ <para>
+ The Server Name Indication can be used by SSL-aware proxies to route
+ connections without having to decrypt the SSL stream. (Note that this
+ requires a proxy that is aware of the PostgreSQL protocol handshake,
+ not just any SSL proxy.) However, SNI makes the destination host name
+ appear in cleartext in the network traffic, so it might be undesirable
+ in some cases.
+ </para>
+ </listitem>
+ </varlistentry>
PostgreSQL 许愿链接
您的愿望将传达给PG kernel hacker、数据库厂商等, 帮助提高数据库产品质量和功能, 说不定下一个PG版本就有您提出的功能点. 针对非常好的提议,奖励限量版PG文化衫、纪念品、贴纸、PG热门书籍等,奖品丰富,快来许愿。开不开森.
9.9元购买3个月阿里云RDS PostgreSQL实例
PostgreSQL 解决方案集合
德哥 / digoal's github - 公益是一辈子的事.
