Set SNI on SSL connections

Question

Set SNI on SSL connections

arkbriar opened this issue 5 months ago · comments

Feature Request

Is your feature request related to a problem? Please describe

Some SSL-aware proxies relies on the SNI to route connections[1]. Also, libpq sends SNI by default[2]. I think it's better for r2dbc-postgresql to provide an option to support SNI as well.

[1] https://www.postgresql.org/message-id/7289d5eb-62a5-a732-c3b9-438cee2cb709@enterprisedb.com
[2] https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNECT-SSLSNI

Describe the solution you'd like

IMO, there should be an option to control the behavior, for example a global / per connection, and turn it on by default to be aligned with libpq, and then the lib sets SNI accordingly in the createSslProvider.

Describe alternatives you've considered

None

Teachability, Documentation, Adoption, Migration Strategy

Mark Paluch · Answer 1 · Thu Feb 15 2024 16:01:34 GMT+0800 (China Standard Time)

We currently do not support SNI. Implementation-wise, SNI needs to be configured either on SSL Engine allocation or via SSLParameters.setServerNames(…)/SSLParameters.setSNIMatchers(…).

We could have a configuration of a SSLParameters Function to post-process the existing parameters for greater flexibility and an additional flag in the config for enabling SNI to indicate the configured hostname/port to the SSL endpoint.

@davecramer does PGJDBC have support for SNI?

ArkBriar · Answer 2 · Thu Feb 15 2024 17:11:42 GMT+0800 (China Standard Time)

We could have a configuration of a SSLParameters Function to post-process the existing parameters for greater flexibility and an additional flag in the config for enabling SNI to indicate the configured hostname/port to the SSL endpoint.

Sounds great!

@davecramer does PGJDBC have support for SNI?

I believe it does. Quote from the mail list

Just as additional data points, it has come to my attention that both
the Go driver ("lib/pq") and the JDBC environment already send SNI
automatically. (In the case of JDBC this is done by the Java system
libraries, not the JDBC driver implementation.)

https://www.postgresql.org/message-id/9407b344-7342-b2b7-004f-d5250687be42%40enterprisedb.com

Mark Paluch · Answer 3 · Thu Feb 15 2024 22:33:37 GMT+0800 (China Standard Time)

That's in place now with SNI enabled by default to align with PGJDBC. Can you test the current 1.0.5.BUILD-SNAPSHOT build and let us know whether the change works for you? If so, we'd like to ship a release today or tomorrow.

ArkBriar · Answer 4 · Thu Feb 15 2024 22:59:42 GMT+0800 (China Standard Time)

Wow, thanks for the quick and awesome work! That's so cool!

Can you test the current 1.0.5.BUILD-SNAPSHOT build and let us know whether the change works for you?

Yes, it works perfectly!