From ffff00a3556734f859f375b8c76c89f1d2920bcd Mon Sep 17 00:00:00 2001
From: Daniel Gustafsson <dgustafsson@postgresql.org>
Date: Fri, 13 Aug 2021 10:32:16 +0200
Subject: [PATCH] Fix sslsni connparam boolean check
The check for sslsni only checked for existence of the parameter
but not for the actual value of the param. This meant that the
SNI extension was always turned on. Fix by inspecting the value
of sslsni and only activate the SNI extension iff sslsni has been
enabled. Also update the docs to be more in line with how other
boolean params are documented.
Backpatch to 14 where sslsni was first implemented.
Reviewed-by: Tom Lane
Backpatch-through: 14, where sslni was added
---
doc/src/sgml/libpq.sgml | 2 +-
src/interfaces/libpq/fe-secure-openssl.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/doc/src/sgml/libpq.sgml b/doc/src/sgml/libpq.sgml
index 56689ba873..b449c834a9 100644
--- a/doc/src/sgml/libpq.sgml
+++ b/doc/src/sgml/libpq.sgml
@@ -1782,7 +1782,7 @@ postgresql://%2Fvar%2Flib%2Fpostgresql/dbname
<term><literal>sslsni</literal><indexterm><primary>Server Name Indication</primary></indexterm></term>
<listitem>
<para>
- By default, libpq sets the TLS extension <quote>Server Name
+ If set to 1 (default), libpq sets the TLS extension <quote>Server Name
Indication</quote> (<acronym>SNI</acronym>) on SSL-enabled connections.
By setting this parameter to 0, this is turned off.
</para>
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 67feaedc4e..f2b5feccc7 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -1087,7 +1087,7 @@ initialize_SSL(PGconn *conn)
* Per RFC 6066, do not set it if the host is a literal IP address (IPv4
* or IPv6).
*/
- if (conn->sslsni && conn->sslsni[0])
+ if (conn->sslsni && conn->sslsni[0] == '1')
{
const char *host = conn->connhost[conn->whichhost].host;
--
2.24.1