enable SNI #953
enable SNI #953
Conversation
|
Hi @conradludgate, I currently face the same problem on neon too. |
|
sslmode=require does not verify that the certificate is valid, it only ensures that TLS is used. I would recommend verify-full of you can (neon supports this perfectly) |
| @@ -283,6 +287,10 @@ func parseDSN(dsn string) ([]Option, error) { | |||
| // (verify chain, but skip server name). | |||
| // See https://github.com/golang/go/issues/21971 . | |||
There was a problem hiding this comment.
Please update the comment and explain why this is required
There was a problem hiding this comment.
The comment is still correct. InsecureSkipVerify = true will not verify either the certificate chain nor verify the server name. The ServerName field only adds the server name to the TLS ClientHello but doesn't impact the verification if insecure is set.
Adding the ServerName config allows TLS to include the ServerNameIdentification (SNI) extension. We use this at Neon to determine which database endpoint to connect to: https://neon.tech/docs/connect/connection-errors#the-endpoint-id-is-not-specified
I have tested that this works for
sslmode=require, but I need to still confirm that this doesn't break the insecure modes from being insecure