Fix sslsni connparam boolean check

The check for sslsni only checked for existence of the parameter
but not for the actual value of the param.  This meant that the
SNI extension was always turned on.  Fix by inspecting the value
of sslsni and only activate the SNI extension iff sslsni has been
enabled.  Also update the docs to be more in line with how other
boolean params are documented.

Backpatch to 14 where sslsni was first implemented.

Reviewed-by: Tom Lane
Backpatch-through: 14, where sslni was added

2 files changed, 2 insertions, 2 deletions

diff --git a/doc/src/sgml/libpq.sgml b/doc/src/sgml/libpq.sgml
index 56689ba8730..b449c834a95 100644
--- a/doc/src/sgml/libpq.sgml
+++ b/doc/src/sgml/libpq.sgml
@@ -1782,7 +1782,7 @@ postgresql://%2Fvar%2Flib%2Fpostgresql/dbname
       <term><literal>sslsni</literal><indexterm><primary>Server Name Indication</primary></indexterm></term>
       <listitem>
        <para>
-        By default, libpq sets the TLS extension <quote>Server Name
+        If set to 1 (default), libpq sets the TLS extension <quote>Server Name
         Indication</quote> (<acronym>SNI</acronym>) on SSL-enabled connections.
         By setting this parameter to 0, this is turned off.
        </para>
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 2ee5a0a40aa..e3b43c87233 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -1092,7 +1092,7 @@ initialize_SSL(PGconn *conn)
 	 * Per RFC 6066, do not set it if the host is a literal IP address (IPv4
 	 * or IPv6).
 	 */
-	if (conn->sslsni && conn->sslsni[0])
+	if (conn->sslsni && conn->sslsni[0] == '1')
 	{
 		const char *host = conn->connhost[conn->whichhost].host;