Re: SSL SNI

On 08.06.21 08:54, Michael Paquier wrote:
> On Mon, Jun 07, 2021 at 11:34:24AM -0400, Tom Lane wrote:
>> Yeah, I'd include the empty-string test just because it's standard
>> practice in this area of libpq.  Whether those tests are actually
>> triggerable in every case is obscure, but ...
> 
> Checking after a NULL string and an empty one is more libpq-ish.
> 
>> Patch looks sane by eyeball, though I didn't test it.
> 
> I did, and I could not break it.
> 
> +               SSLerrfree(err);
> +               SSL_CTX_free(SSL_context);
> +               return -1;
> It seems to me that there is no need to free SSL_context if
> SSL_set_tlsext_host_name() fails here, except if you'd like to move
> the check for the SNI above SSL_CTX_free() around L1082.  There is no
> harm as SSL_CTX_free() is a no-op on NULL input.

Good point.  Committed that way.