Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1s6X4X-0009wU-BB for pgsql-hackers@arkaria.postgresql.org; Mon, 13 May 2024 14:54:39 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1s6X4X-00180k-Ea for pgsql-hackers@arkaria.postgresql.org; Mon, 13 May 2024 14:54:37 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1s6X4X-00180U-1W for pgsql-hackers@lists.postgresql.org; Mon, 13 May 2024 14:54:37 +0000 Received: from lahtoruutu.iki.fi ([185.185.170.37]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1s6X4T-0001VN-8p for pgsql-hackers@lists.postgresql.org; Mon, 13 May 2024 14:54:36 +0000 Received: from [192.168.1.115] (dsl-hkibng22-54f8db-125.dhcp.inet.fi [84.248.219.125]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: hlinnaka) by lahtoruutu.iki.fi (Postfix) with ESMTPSA id 4VdMvq6069z49Q5W; Mon, 13 May 2024 17:54:31 +0300 (EEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=lahtoruutu; t=1715612072; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=jYznVvYLgTHb+6ddobgLEL/Q9KWAMFRQ2+sAHxlIucw=; b=QXdye5WMUcb9qBh7FQqt1UnBHO7mZdi/ZpzD2LRuLbU6b2NlMzQqAr5om8M5ftVLeqVq2Z Zh9cvTZqYAyTOc0uA5P0RP9ikJv8S1Tj8hN2O4xSv/yA0R61L5dx72CdpGksoagIdxToyA Fd8ga+C/gehyJxDnJLSGVj3j1fhkoHnYiWmG/TC4/785CwpukNpZ6oeqgvJTaXrvYZ1uKw sd3C3p2EUkc3g5LLANUIx7vMkM0khBCbQak0UOuqByYJpt18ZC47dDO0G/56w0VwSwOGCC TnY6dTAlBigDD3MeFZ8wVLJEQX485WUYtIjIBPCGTlpyzxqB7qvBqxhx0JnCgg== ARC-Seal: i=1; s=lahtoruutu; d=iki.fi; t=1715612072; a=rsa-sha256; cv=none; b=ZP2L9fyJzlUoE+xz680BrUBTYZmhY9AkctOXkFT4ma7nSpJWjqi7b7zoxxR5BRy18qxPMJ eYmTBJ+9C+8yVFmh845X3wC9ZcRl6z40apSTBJVgbFpVpr0Rk8Dz79ZhSVLiAS/3eXsfk6 HfIwbR4jtPdBDa/+xtj/FU6LEXiC3rDlvT59y+O2mDWTggXm24+ERiIz405pmGBNXTGnmn JLehy/F3XTl4wQYM+ipXuhsYDdICa/DqYEH1qnJqkYO9qLrCc/uha1Q2iJLEnlp/Uh21sY N1sJZLsRJUDJv6mMFaAQx3BC3D6zVLmcnEyvaOxLSzZ6AMDalVFa46qslYaQQg== ARC-Authentication-Results: i=1; ORIGINATING; auth=pass smtp.auth=hlinnaka smtp.mailfrom=hlinnaka@iki.fi ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=lahtoruutu; t=1715612072; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=jYznVvYLgTHb+6ddobgLEL/Q9KWAMFRQ2+sAHxlIucw=; b=CILdUy1iSynA/Ja+YM0wibnvHHs2rNbqCGozel3L40vKmxpNWUz7i4vobfrtC0DtBbtICH LeH5vAl+U61eZq2GcV639kHdgFO/kjQfQYJomYWCFe5PO6dqNXt0ag6i7M+Wzn50n/b7rI 6taZpO0F4Z9U+RpTCRJxiyAAzPMn1LJ2GMlHOAxSHKqz4kd+ossS0jWcC329qjA8QfB26K xyvqn139ypWYl9bAArF+cOGM4VmTxDcp1IQHyYUwPmjtU2RUeFM4/yfWUk5ja2KrJF45lv R6reDCxZmNzia2EtwAIll1ak3oIYWVpkOMvfWWHJUPMjLiKWYL4dNvVzOUHsyA== Message-ID: <0b42d924-1740-41c4-a628-3e2211e6bbc4@iki.fi> Date: Mon, 13 May 2024 17:54:30 +0300 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: Direct SSL connection with ALPN and HBA rules To: Jelte Fennema-Nio Cc: Jacob Champion , Daniel Gustafsson , Robert Haas , Michael Paquier , Postgres hackers References: <5a79ed71-b365-4b20-80bc-9c2bf97bf84b@iki.fi> <3a6f126c-e1aa-4dcc-9252-9868308f6cf0@iki.fi> <1a717f65-7390-4111-8efd-c6e9b213805e@iki.fi> <3fdaf4b1-82d1-45bb-8175-f97ff53a1f01@iki.fi> Content-Language: en-US From: Heikki Linnakangas In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On 13/05/2024 16:55, Jelte Fennema-Nio wrote: > On Mon, 13 May 2024 at 15:38, Heikki Linnakangas wrote: >> Here's a patch to implement that. > > + if (conn->sslnegotiation[0] == 'd' && > + conn->sslmode[0] != 'r' && conn->sslmode[0] != 'v') > > I think these checks should use strcmp instead of checking magic first > characters. I see this same clever trick is used in the recently added > init_allowed_encryption_methods, and I think that should be changed to > use strcmp too for readability. Oh yeah, I hate that too. These should be refactored into enums, with a clear separate stage of parsing the options from strings. But we use that pattern all over the place, so I didn't want to start reforming it with this patch. -- Heikki Linnakangas Neon (https://neon.tech)