vertx-sql-client icon indicating copy to clipboard operation
vertx-sql-client copied to clipboard
verified publisher icon eclipse-vertx

PostgreSQL: Add support for direct SSL negotiation

Open matthudsonatx opened this issue 6 months ago • 1 comments

Describe the feature

Since PostgreSQL 17, implicit or direct SSL/TLS negotiation is supported by the server and the libpq client library. Previously PostgreSQL only negotiated TLS after a PGSQL protocol handshake; With direct negotiation, TLS envelopes the PGSQL protocol in the same way it envelopes HTTP to form HTTPS.

This makes it possible to terminate TLS for postgresql with nginx, caddy, haproxy, etc. as well as negotiate backend server/protocol with SNI and ALPN without extra round-trips.

It would be really nice if PgClient library users have an easy way to specify the protocol(s) and client cipher suite in addition to the usual TLS options. Change Cipher Spec message is another unnecessary round-trip.

Docs: https://www.postgresql.org/docs/current/libpq-connect.html

TL/DR: enable direct negotiation for libpq with parameter sslnegotiation=direct or environment variable PGSSLNEGOTIATION=direct.

Contribution

No response

matthudsonatx avatar Jul 03 '25 13:07 matthudsonatx

it might be backported

vietj avatar Jul 03 '25 13:07 vietj