Re: Direct SSL connection with ALPN and HBA rules
Michael Paquier <michael@paquier.xyz>
From: Michael Paquier <michael@paquier.xyz>
To: Heikki Linnakangas <hlinnaka@iki.fi>
Cc: Jacob Champion <jacob.champion@enterprisedb.com>, Postgres hackers <pgsql-hackers@lists.postgresql.org>
Date: 2024-04-23T05:42:08Z
Lists: pgsql-hackers
On Mon, Apr 22, 2024 at 10:47:51AM +0300, Heikki Linnakangas wrote: > On 22/04/2024 10:19, Michael Paquier wrote: >> As a whole, I can get behind a unique GUC that forces the use of >> direct. Or, we could extend the existing "ssl" GUC with a new >> "direct" value to accept only direct connections and restrict the >> original protocol (and a new "postgres" for the pre-16 protocol, >> rejecting direct?), while "on" is able to accept both. > > I'd be OK with that, although I still don't really see the point of forcing > this from the server side. We could also add this later. I'd be OK with doing something only in v18, if need be. Jacob, what do you think? >> Hmm. Splitting the logic checking HBA entries (around check_hba) so >> as we'd check for a portion of its contents depending on what the >> server has received or not from the client would not be that >> complicated. I'd question whether it makes sense to mix this >> information within the same configuration files as the ones holding >> the current HBA rules. If the same rules are used for the >> pre-startup-packet phase and the post-startup-packet phase, we'd want >> new keywords for these HBA rules, something different than the >> existing sslmode and no sslmode? > > Sounds complicated, and I don't really see the use case for controlling the > direct SSL support in such a fine-grained fashion. > > It would be nice if we could reject non-SSL connections before the client > sends the startup packet, but that's not possible because in a plaintext > connection, that's the first packet that the client sends. The reverse would > be possible: reject SSLRequest or direct SSL connection immediately, if HBA > doesn't allow non-SSL connections from that IP address. But that's not very > interesting. I'm not completely sure, actually. We have the APIs to do that in simple ways with existing keywords and new options. And there is some merit being able to have more complex connection policies. If both of you object to that, I won't insist. > HBA-based control would certainly be v18 material. Surely. -- Michael
Commits
-
Remove option to fall back from direct to postgres SSL negotiation
- fb5718f35ff6 17.0 landed
-
Reject SSL connection if ALPN is used but there's no common protocol
- 17a834a04d5a 17.0 landed
-
libpq: Enforce ALPN in direct SSL connections
- 03a0e0d4bb78 17.0 landed
-
libpq: If ALPN is not used, make PQsslAttribute(conn, "alpn") == ""
- 3c184092651b 17.0 landed
-
Fix documentation and comments on what happens after GSS rejection
- 5c9f35fc48ea 17.0 landed
-
doc: Add note to prevent server spoofing with SCRAM
- d0f4824a5410 16.0 cited