Related: https://bugs.mysql.com/bug.php?id=84849

This can also be useful for proxy solutions to determine to which backend database a connection should be routed.

What could be the use case?

In the proxy — yes, I understand. In the client — ditto, for proxy to work.

But why one may need it in the database server?

serg: Use case: I am at a very big German company atm. And they want to build their own Kubernets DBaaS with MySQL Enterprise. They do not have enough IP addresses so they have to bind mysql to different ports. And thus TLS/SSL termination does not work per IP. So they want SNI in MySQL. At least that's what I have understood. And I am not sure that it will change the game when mariadb can offer this features (I am personally not convinced that it is the right approach, private Class A network, IPv6, etc...)

oli perhaps MDEV-15450 is of interest.

If SNI is required in the server what is expected? Sure you need to deliver a different server certificate based on the SNI name but then what? They end up at the same DB server instance. If there's no difference at that point why get clients connect to different database server names?

Imagine a multi tenant server for which you rent out accounts. E.g. a cloud vendor could do this. The infrastructure around this server might change (e.g. as you grow). But you want to provide your clients a stable hostname to which they can connect (securely).

E.g. you have a MariaDB server at hostname db1.my-awesome-cloud.com. You're still small, with one MariaDB server. In the next months, 100 more clients sign up and you need to add another MariaDB server and divide the accounts between. Now, you don't want to have half of your clients change the host they connect to into db2.my-awesome-cloud.com. Instead, you were smart and actually gave them each individual hostnames (CNAMED to db1.etc). For each hostname you signed a certificate with an authority your tenants trusted from the beginning. Now when adding the new server and migrating the tenants to it, you only have to change the DNS records.

ISTM an ideal SNI implementation can accommodate arbitrarily many domain names without making the server preload a certificate for each domain. Yet more ideally, allow server admins to specify custom lookup logic for each domain name—e.g., via a script.

The Pure-FTPd project has a protocol for SNI support that could be useful here:
https://download.pureftpd.org/pub/pure-ftpd/doc/README.TLS

Maybe have a global variable `tls_sni_method` that can accept values:

• `command`: path to a command that returns a key & chain for a given domain name
• `socket`: path to a UNIX socket that does the same
• `plugin`: specify some sort of plugin that could do the lookup in-process?

Is there a client-only version of this request? It seems like it ought to be comparatively trivial (maybe just require a client flag --enable-sni or something so those who don't want SNI aren't surprised).

I assumed this had been done years ago, once "PaaS" and "DBaaS" terms were coined. Imagine my surprise when, after setting up, securing, and creating a passthrough route to my MariaDB instance on OpenShift, I found... there's no way to reach it with an external client. The router would know what to do with the request if the client would simply... TELL IT... which hostname it wants to reach.

I tried to put stunnel in front instead, but haven't been able to get it to work yet. Not sure if that's my ignorance or if there's a technical reason it won't work.

After facing the issue i was looking for implementation in HaProxy, inspecting the MySQL protocol for _server_host is not valid unless you use commercial version with lua plugin to decode handshake. the alternative approach layer 7 chain to other layer 7 proxy is a pure wast of ressources and most layer7 proxy can not expose multi server certifcate in frontend . Exposing SNI in
all clients would solved the issue the proper way , is this no yet possible using ssl-verify-server-cert or some other parameters after so many years ?

Seems like mysql client v8.1.0 has added client-side add sni feature

mysql v8.1.0

MySQL now implements client-side Server Name Indication (SNI), which is an extension to the TLS protocol. Client applications can pass a server name to the libmysqlclient C API library with the new MYSQL_OPT_TLS_SNI_SERVERNAME option for mysql_options(). Similarly, each MySQL client program now includes a --tls-sni-servername command option to pass in a name. The new Tls_sni_server_name server status variable indicates the name if one is set for the session. Our thanks to Meta for the contribution. (Bug #33176362, WL #14839)

Can I assume it is compatible with mariadb server? What I want to achieve is to use sni hostname to route the client request to different mariadb server instance backend (ip address)