Re: Direct SSL connection with ALPN and HBA rules
Jacob Champion <jacob.champion@enterprisedb.com>
From: Jacob Champion <jacob.champion@enterprisedb.com>
To: Robert Haas <robertmhaas@gmail.com>
Cc: Michael Paquier <michael@paquier.xyz>,
Heikki Linnakangas <hlinnaka@iki.fi>, Postgres hackers <pgsql-hackers@lists.postgresql.org>
Date: 2024-04-23T19:33:58Z
Lists: pgsql-hackers
On Tue, Apr 23, 2024 at 10:43 AM Robert Haas <robertmhaas@gmail.com> wrote: > I've not followed this thread closely enough to understand the comment > about requiredirect maybe not actually requiring direct, but if that > were true it seems like it might be concerning. It may be my misunderstanding. This seems to imply bad behavior: > If the server rejects GSS encryption, SSL is > negotiated over the same TCP connection using the traditional postgres > protocol, regardless of <literal>sslnegotiation</literal>. As does this comment: > + /* > + * If enabled, try direct SSL. Unless we have a valid TCP connection that > + * failed negotiating GSSAPI encryption or a plaintext connection in case > + * of sslmode='allow'; in that case we prefer to reuse the connection with > + * negotiated SSL, instead of reconnecting to do direct SSL. The point of > + * direct SSL is to avoid the roundtrip from the negotiation, but > + * reconnecting would also incur a roundtrip. > + */ but when I actually try those cases, I see that requiredirect does actually cause a direct SSL connection to be done, even with sslmode=allow. So maybe it's just misleading documentation (or my misreading of it) that needs to be expanded? Am I missing a different corner case where requiredirect is ignored, Heikki? I still question the utility of allowing sslmode=allow with sslnegotiation=requiredirect, because it seems like you've made both the performance and security characteristics actively worse if you choose that combination. But I want to make sure I understand the current behavior correctly before I derail the discussion too much... Thanks, --Jacob
Commits
-
Remove option to fall back from direct to postgres SSL negotiation
- fb5718f35ff6 17.0 landed
-
Reject SSL connection if ALPN is used but there's no common protocol
- 17a834a04d5a 17.0 landed
-
libpq: Enforce ALPN in direct SSL connections
- 03a0e0d4bb78 17.0 landed
-
libpq: If ALPN is not used, make PQsslAttribute(conn, "alpn") == ""
- 3c184092651b 17.0 landed
-
Fix documentation and comments on what happens after GSS rejection
- 5c9f35fc48ea 17.0 landed
-
doc: Add note to prevent server spoofing with SCRAM
- d0f4824a5410 16.0 cited