ssl: Serverside SNI support for libpq Support for SNI was added to clientside libpq in 5c55dc8b4733 with the sslsni parameter, but there was no support for utilizing it serverside. This adds support for serverside SNI such that certificate/key handling is available per host. A new config file, $datadir/pg_hosts.conf, is used for configuring which certificate and key should be used for which hostname. In order to use SNI the ssl_sni GUC must be set to on, when it is off the ssl configuration works just like before. If ssl_sni is enabled and pg_hosts.conf is non-empty it will take precedence over the regular SSL GUCs, if it is empty or missing the regular GUCs will be used just as before this commit with no hostname specific handling. The TLS init hook is not compatible with ssl_sni since it operates on a single TLS configuration and SNI break that assumption. If the init hook and ssl_sni are both enabled, a WARNING will be issued.
Host configuration can either be for a literal hostname to match, non- SNI connections using the no_sni keyword or a default fallback matching all connections. By omitting no_sni and the fallback a strict mode can be achieved where only connections using sslsni=1 and a specified hostname are allowed. CRL file(s) are applied from postgresql.conf to all configured hostnames. Serverside SNI requires OpenSSL, currently LibreSSL does not support the required infrastructure to update the SSL context during the TLS handshake. Author: Daniel Gustafsson <[email protected]> Co-authored-by: Jacob Champion <[email protected]> Reviewed-by: Jacob Champion <[email protected]> Reviewed-by: Zsolt Parragi <[email protected]> Reviewed-by: Chao Li <[email protected]> Reviewed-by: Dewei Dai <[email protected]> Reviewed-by: Cary Huang <[email protected]> Reviewed-by: Heikki Linnakangas <[email protected]> Discussion: https://postgr.es/m/[email protected] Branch ------ master Details ------- https://git.postgresql.org/pg/commitdiff/4f433025f666fa4a6209f0e847715767fb1c7ace Modified Files -------------- configure | 2 +- configure.ac | 2 +- doc/src/sgml/runtime.sgml | 123 +++ meson.build | 1 + src/backend/Makefile | 2 + src/backend/commands/variable.c | 21 + src/backend/libpq/be-secure-common.c | 267 ++++++- src/backend/libpq/be-secure-openssl.c | 863 ++++++++++++++++++--- src/backend/libpq/be-secure.c | 3 + src/backend/libpq/meson.build | 1 + src/backend/libpq/pg_hosts.conf.sample | 4 + src/backend/utils/misc/guc.c | 32 + src/backend/utils/misc/guc_parameters.dat | 15 + src/backend/utils/misc/guc_tables.c | 1 + src/backend/utils/misc/postgresql.conf.sample | 3 + src/bin/initdb/initdb.c | 15 +- src/include/libpq/hba.h | 30 + src/include/libpq/libpq.h | 5 +- src/include/pg_config.h.in | 3 + src/include/utils/guc.h | 1 + src/include/utils/guc_hooks.h | 1 + .../ssl_passphrase_callback/t/001_testfunc.pl | 34 + src/test/perl/PostgreSQL/Test/Cluster.pm | 35 + src/test/ssl/meson.build | 1 + src/test/ssl/t/001_ssltests.pl | 6 +- src/test/ssl/t/004_sni.pl | 453 +++++++++++ src/tools/pgindent/typedefs.list | 2 + 27 files changed, 1828 insertions(+), 98 deletions(-)
