Re: Direct SSL connection with ALPN and HBA rules
Heikki Linnakangas <hlinnaka@iki.fi>
From: Heikki Linnakangas <hlinnaka@iki.fi>
To: Jacob Champion <jacob.champion@enterprisedb.com>,
Robert Haas <robertmhaas@gmail.com>
Cc: Daniel Gustafsson <daniel@yesql.se>, Michael Paquier
<michael@paquier.xyz>, Postgres hackers <pgsql-hackers@lists.postgresql.org>
Date: 2024-05-15T13:33:33Z
Lists: pgsql-hackers
Attachments
- v2-0001-Remove-option-to-fall-back-from-direct-to-postgre.patch (text/x-patch) patch v2-0001
On 14/05/2024 01:29, Jacob Champion wrote: > Definitely not a major problem, but I think > select_next_encryption_method() has gone stale, since it originally > provided generality and lines of fallback that no longer exist. In > other words, I think the following code is now misleading: > >> if (conn->sslmode[0] == 'a') >> SELECT_NEXT_METHOD(ENC_PLAINTEXT); >> >> SELECT_NEXT_METHOD(ENC_NEGOTIATED_SSL); >> SELECT_NEXT_METHOD(ENC_DIRECT_SSL); >> >> if (conn->sslmode[0] != 'a') >> SELECT_NEXT_METHOD(ENC_PLAINTEXT); > > To me, that implies that negotiated mode takes precedence over direct, > but the point of the patch is that it's not possible to have both. And > if direct SSL is in use, then sslmode can't be "allow" anyway, and we > definitely don't want ENC_PLAINTEXT. > > So if someone proposes a change to select_next_encryption_method(), > you'll have to remember to stare at init_allowed_encryption_methods() > as well, and think really hard about what's going on. And vice-versa. > That worries me. Ok, yeah, I can see that now. Here's a new version to address that. I merged ENC_SSL_NEGOTIATED_SSL and ENC_SSL_DIRECT_SSL to a single method, ENC_SSL. The places that need to distinguish between them now check conn-sslnegotiation. That seems more clear now that there is no fallback. -- Heikki Linnakangas Neon (https://neon.tech)
Commits
-
Remove option to fall back from direct to postgres SSL negotiation
- fb5718f35ff6 17.0 landed
-
Reject SSL connection if ALPN is used but there's no common protocol
- 17a834a04d5a 17.0 landed
-
libpq: Enforce ALPN in direct SSL connections
- 03a0e0d4bb78 17.0 landed
-
libpq: If ALPN is not used, make PQsslAttribute(conn, "alpn") == ""
- 3c184092651b 17.0 landed
-
Fix documentation and comments on what happens after GSS rejection
- 5c9f35fc48ea 17.0 landed
-
doc: Add note to prevent server spoofing with SCRAM
- d0f4824a5410 16.0 cited