Re: Direct SSL connection and ALPN loose ends
Jacob Champion <jacob.champion@enterprisedb.com>
From: Jacob Champion <jacob.champion@enterprisedb.com>
To: Heikki Linnakangas <hlinnaka@iki.fi>
Cc: Peter Eisentraut <peter@eisentraut.org>,
Robert Haas <robertmhaas@gmail.com>, Michael Paquier <michael@paquier.xyz>,
pgsql-hackers <pgsql-hackers@postgresql.org>
Date: 2024-06-20T23:32:45Z
Lists: pgsql-hackers
On Thu, Jun 20, 2024 at 4:13 PM Heikki Linnakangas <hlinnaka@iki.fi> wrote: > > By "negotiation" I mean the server's response to the startup packet. > > I.e. "supported"/"not supported"/"error". > > Ok, I'm still a little confused, probably a terminology issue. The > server doesn't respond with "supported" or "not supported" to the > startup packet, that happens earlier. I think you mean the SSLRequst / > GSSRequest packet, which is sent *before* the startup packet? Yes, sorry. (I'm used to referring to those as startup packets too, ha.) > Hmm, right, GSS encryption was introduced in v12, and older versions > respond with an error to a GSSRequest. > > We probably could make the same assumption for GSS as we did for TLS in > a49fbaaf, i.e. that an error means that something's wrong with the > server, rather than that it's just very old and doesn't support GSS. But > the case for that is a lot weaker case than with TLS. There are still > pre-v12 servers out there in the wild. Right. Since we default to gssencmode=prefer, if you have Kerberos creds in your environment, I think this could potentially break existing software that connects to v11 servers once you upgrade libpq. Thanks, --Jacob
Commits
Same data as JSON:
GET /api/v1/messages/:b64id/commits
the thread's linked commits as JSON, with link sources.
API reference →
-
Add tests for errors during SSL or GSSAPI handshake
- ef7fa900fb58 18.0 landed
-
Add test for early backend startup errors
- 20e0e7da9bc0 18.0 landed
-
Fix fallback behavior when server sends an ERROR early at startup
- f06a632a77ed 17.0 landed
- c95d2159c1dd 18.0 landed
-
Fix outdated comment after removal of direct SSL fallback
- 5afebbe529ab 17.0 landed
- cc68ca6d420e 18.0 landed