Expose SNI (tls server name indication)#323
Merged
sunng87 merged 8 commits intosunng87:masterfrom Oct 10, 2025
Merged
Conversation
- After TLS accept, read rustls connection server_name and store it. - Use metadata key (aligns with rustls naming) instead of . - Keep change minimal: update before framing, using mutable client_info. - Add unit test to validate SNI extraction with localhost certificate.
- Stand up ad-hoc TLS server/client using repo demo cert. - Mirror production logic: insert rustls server_name into DefaultClient metadata. - Assert metadata[server_name] == "localhost".
- Use rustls dangerous() custom verifier to skip cert validation. - Focus the test on SNI plumbing rather than PKI constraints.
- Provide required signature verification methods and Debug impl. - Keeps the test focused on SNI observation.
ybrs
changed the title
sunng87
reviewed
Oct 9, 2025
Owner
|
@ybrs Thank you for the patch! This is reasonable. We already provide access to client certificate so it's important to provide sni server name too. |
sunng87
approved these changes
Oct 10, 2025
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
We expose server_name from rustls to client metadata with this PR.
This is helpful in some cases. If one is using pgwire for loadbalancing/routing amongst servers, can decide with server_name. Also I think it can be helpful for some sanity checks, if one is trying to connect via scanning ip addresses etc. server can just close the connection as something is going fishy.
I tried to come up with some unit tests (tried a few ways, in the end this works in macos and linux but I'm open to suggestions )
Also tested manually. I have a branch that is checking this server_name in riffq, it works with simply when tls is enabled [1]
Simply connecting with when tls is enabled psql after version 12 sends the SNI.
In ssl=verify-full or ssl=require etc. it also works.
When tls is enabled but if client doesn't send sni it also sets server_name as None (or when connecting with ip)
Let me know what you think.
[1] ybrs/riffq#105