Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1rzKBM-003AKM-Vv for pgsql-hackers@arkaria.postgresql.org; Tue, 23 Apr 2024 17:43:52 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1rzKBL-009vm8-GU for pgsql-hackers@arkaria.postgresql.org; Tue, 23 Apr 2024 17:43:51 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1rzKBL-009vm0-7I for pgsql-hackers@lists.postgresql.org; Tue, 23 Apr 2024 17:43:51 +0000 Received: from mail-lj1-x22e.google.com ([2a00:1450:4864:20::22e]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1rzKBG-002YjL-QL for pgsql-hackers@lists.postgresql.org; Tue, 23 Apr 2024 17:43:50 +0000 Received: by mail-lj1-x22e.google.com with SMTP id 38308e7fff4ca-2da01cb187cso101492621fa.0 for ; Tue, 23 Apr 2024 10:43:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1713894226; x=1714499026; darn=lists.postgresql.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=Mk6wMTmGB3sFeLn//nnRUQWnb1HEJ0FdhR9xdjg2KLk=; b=HP4ha09rkVCjPtxlAA52Ka8+pZZ2dj1/cr+fK7OEf/e3gpAY4reCBeegPKFNZSHkhw xMEiF4ZpC2RMCeQvNX/Jz6h6//y3+xfcezKKy+rUTHPHHTclp7yTFVADm7YpfdbbNjEJ oNR9vh2Yy9aXwIgKRwV0TOtOEN6XLD0Qarnvc+7RkawAZ2SGFv01OYk7Kh1ZDmH7CZCQ kW5xRC7DqmR6tzpbz9cvrWPu5NYEk+5FWVcQ3IiRBReUpaPCM9HSOuWpTeUl4pIDaFf3 vwOmHYjyBfU8ejzJ9lubAhrF4+6MU/CiC/QR1OqiCzZAVRjk7FVTVhbjNERINuMrTEJp pF4g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1713894226; x=1714499026; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Mk6wMTmGB3sFeLn//nnRUQWnb1HEJ0FdhR9xdjg2KLk=; b=WMg3QHyZVm7snc31INZJsQgnesMQhiy0aZSF5/NQOGsfIixwMO4mrfaz140ViG8W7o EF2xMEVMVniHBrC1Cnju22PlpiFpE/zZR+j0NCQ6cw3f9ptN8m80d/tmJjCwBTR98HuF eBUSUQQp2aetQmktseg2S2WGj87mZ4X2JOi6kLQQ6yOh4XhuDgDxRA6u+EaRxizhXvQi g8lOpNimo59uE25tEPJb5ZqPBZDP2cSV6OoPT20wJZZXrPss8KkJnXcGhV8IBMHe2KeN XBdI2M7TR2WVVN8h5iBNlF52B6efetyBa6sA8e3dXKDJE66JXr17NEkjaGxMWEB3fyEz 4hKw== X-Forwarded-Encrypted: i=1; AJvYcCUlXaV53Y9EJam6jLCDbgh7e5BU1PQdD21TXVqv7ijps3fAtOTlUS2VUJy+mRStGuaKJkS2T2RO9SJzgUqt8DaY/5G37c/IWyMjQODEFtMPyz3b X-Gm-Message-State: AOJu0YwqPJLFSQ90P024N0bMxS1Ni3N0QydEj0ca4KwvOqS95dOZatOW pggQwpC/LpRZAvO+iojK4GY3ymBACqTK5/FSxoeh0PCnC4VQUYPddqp5CwI2/+XK5HOaFWfymqd vryvWwAC6Jf2OsLEvR4LppH9jBgc= X-Google-Smtp-Source: AGHT+IGvvH8WQ4K24DSfYATEMDrAOZOidmm7PcTBscEjdTkLT8hsdDQx1K+Dj+T22aUyY1RzLvvfwrlIND8vzWsN+Vo= X-Received: by 2002:a2e:908e:0:b0:2db:c2e0:c541 with SMTP id l14-20020a2e908e000000b002dbc2e0c541mr10041880ljg.53.1713894225790; Tue, 23 Apr 2024 10:43:45 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Robert Haas Date: Tue, 23 Apr 2024 13:43:34 -0400 Message-ID: Subject: Re: Direct SSL connection with ALPN and HBA rules To: Jacob Champion Cc: Michael Paquier , Heikki Linnakangas , Postgres hackers Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On Tue, Apr 23, 2024 at 1:22=E2=80=AFPM Jacob Champion wrote: > On Mon, Apr 22, 2024 at 10:42=E2=80=AFPM Michael Paquier wrote: > > On Mon, Apr 22, 2024 at 10:47:51AM +0300, Heikki Linnakangas wrote: > > > On 22/04/2024 10:19, Michael Paquier wrote: > > >> As a whole, I can get behind a unique GUC that forces the use of > > >> direct. Or, we could extend the existing "ssl" GUC with a new > > >> "direct" value to accept only direct connections and restrict the > > >> original protocol (and a new "postgres" for the pre-16 protocol, > > >> rejecting direct?), while "on" is able to accept both. > > > > > > I'd be OK with that, although I still don't really see the point of f= orcing > > > this from the server side. We could also add this later. > > > > I'd be OK with doing something only in v18, if need be. Jacob, what > > do you think? > > I think it would be nice to have an option like that. Whether it's > done now or in 18, I don't have a strong opinion about. But I do think > it'd be helpful to have a consensus on whether or not this is a > security improvement, or a performance enhancement only, before adding > said option. As it's implemented, if the requiredirect option doesn't > actually requiredirect, I think it looks like security but isn't > really. I've not followed this thread closely enough to understand the comment about requiredirect maybe not actually requiring direct, but if that were true it seems like it might be concerning. But as far as having a GUC to force direct SSL or not, I agree that's a good idea, and that it's better than only being able to control the behavior through pg_hba.conf, because it removes room for any possible doubt about whether you're really enforcing the behavior you want to be enforcing. It might also mean that the connection can be rejected earlier in the handshaking process on the basis of the GUC value, which could conceivably prevent a client from reaching some piece of code that turns out to have a security vulnerability. For example, if we found out that direct SSL connections let you take over the Pentagon before reaching the authentication stage, but for some reason regular connections don't have the same problem, being able to categorically shut off direct SSL would be valuable. However, I don't really see why this has to be done for this release. It seems like a separate feature from direct SSL itself. If direct SSL hadn't been committed at the very last minute, then it would have been great if this had been done for this release, too. But it was. The moral we ought to take from that is "perhaps get the big features in a bit further in advance of the freeze," not "well we'll just keep hacking after the freeze." --=20 Robert Haas EDB: http://www.enterprisedb.com