Set SNI on SSL connections
arkbriar opened this issue · comments
Feature Request
Is your feature request related to a problem? Please describe
Some SSL-aware proxies relies on the SNI to route connections[1]. Also, libpq
sends SNI by default[2]. I think it's better for r2dbc-postgresql to provide an option to support SNI as well.
[1] https://www.postgresql.org/message-id/7289d5eb-62a5-a732-c3b9-438cee2cb709@enterprisedb.com
[2] https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNECT-SSLSNI
Describe the solution you'd like
IMO, there should be an option to control the behavior, for example a global / per connection, and turn it on by default to be aligned with libpq
, and then the lib sets SNI accordingly in the createSslProvider
.
Describe alternatives you've considered
None
Teachability, Documentation, Adoption, Migration Strategy
We currently do not support SNI. Implementation-wise, SNI needs to be configured either on SSL Engine allocation or via SSLParameters.setServerNames(…)
/SSLParameters.setSNIMatchers(…)
.
We could have a configuration of a SSLParameters Function
to post-process the existing parameters for greater flexibility and an additional flag in the config for enabling SNI to indicate the configured hostname/port to the SSL endpoint.
@davecramer does PGJDBC have support for SNI?
We could have a configuration of a SSLParameters Function to post-process the existing parameters for greater flexibility and an additional flag in the config for enabling SNI to indicate the configured hostname/port to the SSL endpoint.
Sounds great!
@davecramer does PGJDBC have support for SNI?
I believe it does. Quote from the mail list
Just as additional data points, it has come to my attention that both
the Go driver ("lib/pq") and the JDBC environment already send SNI
automatically. (In the case of JDBC this is done by the Java system
libraries, not the JDBC driver implementation.)
https://www.postgresql.org/message-id/9407b344-7342-b2b7-004f-d5250687be42%40enterprisedb.com
That's in place now with SNI enabled by default to align with PGJDBC. Can you test the current 1.0.5.BUILD-SNAPSHOT
build and let us know whether the change works for you? If so, we'd like to ship a release today or tomorrow.
Wow, thanks for the quick and awesome work! That's so cool!
Can you test the current 1.0.5.BUILD-SNAPSHOT build and let us know whether the change works for you?
Yes, it works perfectly!