diff options
| author | Peter Eisentraut <peter@eisentraut.org> | 2021-04-07 15:11:41 +0200 |
|---|---|---|
| committer | Peter Eisentraut <peter@eisentraut.org> | 2021-04-07 15:11:41 +0200 |
| commit | 5c55dc8b47338e72a4e598c155d2048d756fd10e (patch) | |
| tree | a530a2724b25e84eebf7ad03b67aeec373f8378b /doc/src | |
| parent | c1968426ba3de1fe37848863e35fff30261bf941 (diff) | |
| download | postgresql-5c55dc8b47338e72a4e598c155d2048d756fd10e.tar.gz postgresql-5c55dc8b47338e72a4e598c155d2048d756fd10e.zip | |
libpq: Set Server Name Indication (SNI) for SSL connections
By default, have libpq set the TLS extension "Server Name Indication" (SNI).
This allows an SNI-aware SSL proxy to route connections. (This
requires a proxy that is aware of the PostgreSQL protocol, not just
any SSL proxy.)
In the future, this could also allow the server to use different SSL
certificates for different host specifications. (That would require
new server functionality. This would be the client-side functionality
for that.)
Since SNI makes the host name appear in cleartext in the network
traffic, this might be undesirable in some cases. Therefore, also add
a libpq connection option "sslsni" to turn it off.
Discussion: https://www.postgresql.org/message-id/flat/7289d5eb-62a5-a732-c3b9-438cee2cb709%40enterprisedb.com
Diffstat (limited to 'doc/src')
| -rw-r--r-- | doc/src/sgml/libpq.sgml | 31 |
1 files changed, 31 insertions, 0 deletions
diff --git a/doc/src/sgml/libpq.sgml b/doc/src/sgml/libpq.sgml index 3ec458ce09d..52622fe4c1a 100644 --- a/doc/src/sgml/libpq.sgml +++ b/doc/src/sgml/libpq.sgml @@ -1777,6 +1777,27 @@ postgresql://%2Fvar%2Flib%2Fpostgresql/dbname </listitem> </varlistentry> + <varlistentry id="libpq-connect-sslsni" xreflabel="sslsni"> + <term><literal>sslsni</literal><indexterm><primary>Server Name Indication</primary></indexterm></term> + <listitem> + <para> + By default, libpq sets the TLS extension <quote>Server Name + Indication</quote> (SNI) on SSL-enabled connections. See <ulink + url="https://tools.ietf.org/html/rfc6066#section-3">RFC 6066</ulink> + for details. By setting this parameter to 0, this is turned off. + </para> + + <para> + The Server Name Indication can be used by SSL-aware proxies to route + connections without having to decrypt the SSL stream. (Note that this + requires a proxy that is aware of the PostgreSQL protocol handshake, + not just any SSL proxy.) However, SNI makes the destination host name + appear in cleartext in the network traffic, so it might be undesirable + in some cases. + </para> + </listitem> + </varlistentry> + <varlistentry id="libpq-connect-requirepeer" xreflabel="requirepeer"> <term><literal>requirepeer</literal></term> <listitem> @@ -7800,6 +7821,16 @@ myEventProc(PGEventId evtId, void *evtInfo, void *passThrough) <listitem> <para> <indexterm> + <primary><envar>PGSSLSNI</envar></primary> + </indexterm> + <envar>PGSSLSNI</envar> behaves the same as the <xref + linkend="libpq-connect-sslsni"/> connection parameter. + </para> + </listitem> + + <listitem> + <para> + <indexterm> <primary><envar>PGREQUIREPEER</envar></primary> </indexterm> <envar>PGREQUIREPEER</envar> behaves the same as the <xref |