Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1sHTLy-007wBo-Pp for pgsql-general@arkaria.postgresql.org; Wed, 12 Jun 2024 19:09:51 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1sHTLw-005Dgn-Jq for pgsql-general@arkaria.postgresql.org; Wed, 12 Jun 2024 19:09:49 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1sHQ0L-001uTv-NI for pgsql-general@lists.postgresql.org; Wed, 12 Jun 2024 15:35:19 +0000 Received: from qs51p00im-qukt01072501.me.com ([17.57.155.14]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1sHQ0J-001IVu-Np for pgsql-general@postgresql.org; Wed, 12 Jun 2024 15:35:17 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=osss.net; s=sig1; t=1718206513; bh=K4SIe73QRpwOftuZnz048GLEbRpawpjs+fR5d0xRb6c=; h=From:Content-Type:Mime-Version:Subject:Message-Id:Date:To; b=y+Sf8ZC1ufLZ5ULxEikOBz+YJyND+QQafanWH+Bngb4Y8lyiWloH/TNFefBytAj8J 7lvFjdcP+mJTL3EMZaonHCvccYLOXJTHBsKgJrp7NWpTN2PqcoUzmX+VPbzpPJU84r jjoXXBGaC/aiEgjKFiKlgSRMRvpkyjtx9gRwF24MB+3Fd0UvQfRWLXofdQbwYKppaB H0HHZupUQuI2blpla0yTJ3M6Q9GcIanzeBifetPjhCtFwV1PoMTQf19RhG9VyyDwk/ VhCEtsDdVj/KfkIhCTd37rV286NwS1uFwsB17YMWCeaLFH6qz3pJoPqbOEa1WzRqY2 8q3vbT73ifwxA== Received: from smtpclient.apple (qs51p00im-dlb-asmtp-mailmevip.me.com [17.57.155.28]) by qs51p00im-qukt01072501.me.com (Postfix) with ESMTPSA id 3DC93440349 for ; Wed, 12 Jun 2024 15:35:13 +0000 (UTC) From: Casey & Gina Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3774.600.62\)) Subject: Question about UNIX socket connections and SSL Message-Id: <5EDB1F7F-569B-48B2-8DCD-44EE17D41F1A@osss.net> Date: Wed, 12 Jun 2024 10:34:56 -0500 To: pgsql-general@postgresql.org X-Mailer: Apple Mail (2.3774.600.62) X-Proofpoint-GUID: vYdbRopYM0ZFsiazNb4-stXwOuyC4YoT X-Proofpoint-ORIG-GUID: vYdbRopYM0ZFsiazNb4-stXwOuyC4YoT X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.1039,Hydra:6.0.680,FMLib:17.12.28.16 definitions=2024-06-12_07,2024-06-12_02,2024-05-17_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxlogscore=999 mlxscore=0 adultscore=0 suspectscore=0 bulkscore=0 phishscore=0 malwarescore=0 spamscore=0 clxscore=1030 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2308100000 definitions=main-2406120099 List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk It seems that libpq (maybe?) disables SSL when connecting through a UNIX = socket to the database. My setup involves a HA database cluster managed by Patroni. To route RW = or RO connections to the correct node(s), we use haproxy, running = locally on each application node. In the interest of being as efficient = as possible, not using TCP unnecessarily, and having the ability to set = appropriate permissions on the socket files which increases security, we = had configured the applications to connect to haproxy via local UNIX = socket, and then haproxy would of course communicate over the network to = the database servers via TCP. More recently, we've started setting up SSL encryption and CA = verification for all database connections going over the network. I = discovered when working on this that SSL was being disabled due to the = client connecting to haproxy via UNIX socket. After trying a bunch of = things, I resigned to having to use TCP, and we changed the connection = from the app to haproxy to TCP. We also have a jump server set up for staff to connect to the database = via an SSH tunnel. When this is used, an individual's database = connection goes from their client over TCP to the jump server via the = SSH tunnel, which directs their connection to an haproxy instance = running there via UNIX socket, which then in turn connects to the = database using TCP. Interestingly, even though traffic is being routed = through a UNIX socket here, SSL encryption *does* work. So why can't I use SSL when connecting from a client to a UNIX socket? = I can understand that verify-full wouldn't work without it, but = verify-full doesn't work even when using TCP with haproxy, as = "localhost" doesn't match the database hostname. For now, I'm only = concerned with the verify-ca sslmode. Is there a workaround possible = that doesn't involve using TCP unnecessarily? --=20 Thanks, - Casey=