Fix sslsni connparam boolean check

The check for sslsni only checked for existence of the parameter
but not for the actual value of the param.  This meant that the
SNI extension was always turned on.  Fix by inspecting the value
of sslsni and only activate the SNI extension iff sslsni has been
enabled.  Also update the docs to be more in line with how other
boolean params are documented.

Backpatch to 14 where sslsni was first implemented.

Reviewed-by: Tom Lane
Backpatch-through: 14, where sslni was added

diff --git a/doc/src/sgml/libpq.sgml b/doc/src/sgml/libpq.sgml
index 56689ba8730ec106290ebf84d2e13d6e3553c4f7..b449c834a95b8a6be41a30653bdb28067b5c9d0c 100644 (file)
--- a/doc/src/sgml/libpq.sgml
+++ b/doc/src/sgml/libpq.sgml
@@ -1782,7 +1782,7 @@ postgresql://%2Fvar%2Flib%2Fpostgresql/dbname
       sslsniServer Name Indication
       
        
-        By default, libpq sets the TLS extension Server Name
+        If set to 1 (default), libpq sets the TLS extension Server Name
         Indication (SNI) on SSL-enabled connections.
         By setting this parameter to 0, this is turned off.
        

diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 2ee5a0a40aad905891d1a14ae206c16a53d0d5f8..e3b43c8723386bea5312b9eb224a5f3aa62e47a6 100644 (file)
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -1092,7 +1092,7 @@ initialize_SSL(PGconn *conn)
     * Per RFC 6066, do not set it if the host is a literal IP address (IPv4
     * or IPv6).
     */
-   if (conn->sslsni && conn->sslsni[0])
+   if (conn->sslsni && conn->sslsni[0] == '1')
    {
        const char *host = conn->connhost[conn->whichhost].host;