Re: Direct SSL connection with ALPN and HBA rules
Robert Haas <robertmhaas@gmail.com>
From: Robert Haas <robertmhaas@gmail.com>
To: Heikki Linnakangas <hlinnaka@iki.fi>
Cc: Jacob Champion <jacob.champion@enterprisedb.com>,
Michael Paquier <michael@paquier.xyz>, Postgres hackers <pgsql-hackers@lists.postgresql.org>
Date: 2024-04-26T15:25:21Z
Lists: pgsql-hackers
On Thu, Apr 25, 2024 at 5:50 PM Heikki Linnakangas <hlinnaka@iki.fi> wrote: > On 25/04/2024 21:13, Jacob Champion wrote: > > On Thu, Apr 25, 2024 at 10:35 AM Robert Haas <robertmhaas@gmail.com> wrote: > >> Maybe I'm missing something here, but why doesn't sslnegotiation > >> override sslmode completely? Or alternatively, why not remove > >> sslnegotiation entirely and just have more sslmode values? I mean > >> maybe this shouldn't happen categorically, but if I say I want to > >> require a direct SSL connection, to me that implies that I don't want > >> an indirect SSL connection, and I really don't want a non-SSL > >> connection. > > My thinking with sslnegotiation is that it controls how SSL is > negotiated with the server, if SSL is to be used at all. It does not > control whether SSL is used or required; that's what sslmode is for. I think this might boil down to the order in which someone thinks that different settings should be applied. It sounds like your mental model is that GSS settings are applied first, and then SSL settings are applied afterwards, and then within the SSL bucket you can select how you want to do SSL (direct or negotiated) and how required it is. My mental model is different: I imagine that since direct SSL happens from the first byte exchanged over the socket, direct SSL "happens first", making settings that pertain to negotiated GSS and negotiated SSL irrelevant. Because, logically, if you've decided to use direct SSL, you're not even going to get a chance to negotiate those things. I understand that the code as written works around that, by being able to open a new connection if it turns out that we need to negotiate that stuff after all, but IMHO that's rather confusing. -- Robert Haas EDB: http://www.enterprisedb.com
Commits
-
Remove option to fall back from direct to postgres SSL negotiation
- fb5718f35ff6 17.0 landed
-
Reject SSL connection if ALPN is used but there's no common protocol
- 17a834a04d5a 17.0 landed
-
libpq: Enforce ALPN in direct SSL connections
- 03a0e0d4bb78 17.0 landed
-
libpq: If ALPN is not used, make PQsslAttribute(conn, "alpn") == ""
- 3c184092651b 17.0 landed
-
Fix documentation and comments on what happens after GSS rejection
- 5c9f35fc48ea 17.0 landed
-
doc: Add note to prevent server spoofing with SCRAM
- d0f4824a5410 16.0 cited