Re: Direct SSL connection with ALPN and HBA rules
Heikki Linnakangas <hlinnaka@iki.fi>
From: Heikki Linnakangas <hlinnaka@iki.fi>
To: Jelte Fennema-Nio <postgres@jeltef.nl>
Cc: Jacob Champion <jacob.champion@enterprisedb.com>,
Daniel Gustafsson <daniel@yesql.se>, Robert Haas <robertmhaas@gmail.com>,
Michael Paquier <michael@paquier.xyz>,
Postgres hackers <pgsql-hackers@lists.postgresql.org>
Date: 2024-05-12T21:39:07Z
Lists: pgsql-hackers
On 11/05/2024 23:45, Jelte Fennema-Nio wrote: > On Fri, 10 May 2024 at 15:50, Heikki Linnakangas <hlinnaka@iki.fi> wrote: >> New proposal: >> >> - Remove the "try both" mode completely, and rename "requiredirect" to >> just "direct". So there would be just two modes: "postgres" and >> "direct". On reflection, the automatic fallback mode doesn't seem very >> useful. It would make sense as the default, because then you would get >> the benefits automatically in most cases but still be compatible with >> old servers. But if it's not the default, you have to fiddle with libpq >> settings anyway to enable it, and then you might as well use the >> "requiredirect" mode when you know the server supports it. There isn't >> anything wrong with it as such, but given how much confusion there's >> been on how this all works, I'd prefer to cut this back to the bare >> minimum now. We can add it back in the future, and perhaps make it the >> default at the same time. This addresses points 2. and 3. above. >> >> and: >> >> - Only allow sslnegotiation=direct with sslmode=require or higher. This >> is what you, Jacob, wanted to do all along, and addresses point 1. >> >> Thoughts? > > Sounds mostly good to me. But I think we'd want to automatically > increase sslmode to require if it is unset, but sslnegotation is set > to direct. Similar to how we bump sslmode to verify-full if > sslrootcert is set to system, but sslmode is unset. i.e. it seems > unnecessary/unwanted to throw an error if the connection string only > contains sslnegotiation=direct I find that error-prone. For example: 1. Try to connect to a server with direct negotiation: psql "host=foobar dbname=mydb sslnegotiation=direct" 2. It fails. Maybe it was an old server? Let's change it to sslnegotiation=postgres. 3. Now it succeeds. Great! You might miss that by changing sslnegotiation to 'postgres', or by removing it altogether, you not only made it compatible with older server versions, but you also allowed falling back to a plaintext connection. Maybe you're fine with that, but maybe not. I'd like to nudge people to use sslmode=require, not rely on implicit stuff like this just to make connection strings a little shorter. I'm not a fan of sslrootcert=system implying sslmode=verify-full either, for the same reasons. But at least "sslrootcert" is a clearly security-related setting, so removing it might give you a pause, whereas sslnegotition is about performance and compatibility. In v18, I'd like to make sslmode=require the default. Or maybe introduce a new setting like "encryption=ssl|gss|none", defaulting to 'ssl'. If we want to encourage encryption, that's the right way to do it. (I'd still recommend everyone to use an explicit sslmode=require in their connection strings for many years, though, because you might be using an older client without realizing it.) -- Heikki Linnakangas Neon (https://neon.tech)
Commits
-
Remove option to fall back from direct to postgres SSL negotiation
- fb5718f35ff6 17.0 landed
-
Reject SSL connection if ALPN is used but there's no common protocol
- 17a834a04d5a 17.0 landed
-
libpq: Enforce ALPN in direct SSL connections
- 03a0e0d4bb78 17.0 landed
-
libpq: If ALPN is not used, make PQsslAttribute(conn, "alpn") == ""
- 3c184092651b 17.0 landed
-
Fix documentation and comments on what happens after GSS rejection
- 5c9f35fc48ea 17.0 landed
-
doc: Add note to prevent server spoofing with SCRAM
- d0f4824a5410 16.0 cited