Support TLS handshake directly without SSLRequest negotiation
By skipping SSLRequest, you can eliminate one round-trip when
establishing a TLS connection. It is also more friendly to generic TLS
proxies that don't understand the PostgreSQL protocol.
This is disabled by default in libpq, because the direct TLS handshake
will fail with old server versions. It can be enabled with the
sslnegotation=direct option. It will still fall back to the negotiated
TLS handshake if the server rejects the direct attempt, either because
it is an older version or the server doesn't support TLS at all, but
the fallback can be disabled with the sslnegotiation=requiredirect
option.
Author: Greg Stark, Heikki Linnakangas
Reviewed-by: Matthias van de Meent, Jacob Champion
Branch
------
master
Details
-------
https://git.postgresql.org/pg/commitdiff/d39a49c1e459804831302807c724fa6512e90cf0
Modified Files
--------------
doc/src/sgml/libpq.sgml | 87 ++++-
doc/src/sgml/protocol.sgml | 36 +++
src/backend/libpq/be-secure.c | 52 ++-
src/backend/libpq/pqcomm.c | 12 +-
src/backend/tcop/backend_startup.c | 98 +++++-
src/include/libpq/libpq-be.h | 13 +
src/include/libpq/libpq.h | 2 +-
src/interfaces/libpq/fe-connect.c | 102 +++++-
src/interfaces/libpq/fe-secure-openssl.c | 7 +-
src/interfaces/libpq/libpq-fe.h | 4 +-
src/interfaces/libpq/libpq-int.h | 6 +-
.../libpq_encryption/t/001_negotiate_encryption.pl | 357 +++++++++++++--------
12 files changed, 609 insertions(+), 167 deletions(-)