Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1s1QHL-00CDDg-Ac for pgsql-hackers@arkaria.postgresql.org; Mon, 29 Apr 2024 12:38:43 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1s1QHI-00Gnss-TG for pgsql-hackers@arkaria.postgresql.org; Mon, 29 Apr 2024 12:38:41 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1s1QHI-00Gnsj-Jl for pgsql-hackers@lists.postgresql.org; Mon, 29 Apr 2024 12:38:41 +0000 Received: from mail-lf1-x129.google.com ([2a00:1450:4864:20::129]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1s1QHE-000bWf-AR for pgsql-hackers@lists.postgresql.org; Mon, 29 Apr 2024 12:38:40 +0000 Received: by mail-lf1-x129.google.com with SMTP id 2adb3069b0e04-5176f217b7bso7479493e87.0 for ; Mon, 29 Apr 2024 05:38:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1714394314; x=1714999114; darn=lists.postgresql.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=ojFBxhOjEzsomIXXGUnVJa+qyVCimJ/tn8j+5ZE6SlE=; b=dYOx/gBqZzsVocfhs0eAjyJ65RsV7O5i5MeG79+pk8xJTDivh2czcuKRj9tbkjug1P LUM8SZN+W6thWKQJCE54tzGxGSU6MTsJfufXvfTgrmGOS1bnByBJMXo5lU3c/t6axHTx 9WpY45YpjPAbjwsrjpZIj43grOjkHs8H4+2s/HcN29kT7GkHwxw2W1rsGiuK+1xBPFQz pu1wneYosmqUzPQEEf0Kxj3TP++aL99lYa2LG6JgzuwdXZ6yT7Lo1G7TkFHnluvkSFS5 7GnJdvWzqJ7nCGtVN3/iY3Ump9a+IdvFyVuw3kzJ4nbIAZo5xpX0Hr3r2phzOew0gqa6 d9VQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1714394314; x=1714999114; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=ojFBxhOjEzsomIXXGUnVJa+qyVCimJ/tn8j+5ZE6SlE=; b=YvDHHwzmLL5r4Qju4GScM4p6zy3OUjZBtHYIkim8n6cXzVJe+lZO7cbBaACTTaYHje yxNsQ/xCGKBJwt71Cimw0lsyOQhV3QCYJIOZfJHl7JE5J4UhSqIFigl9xgkJcFXVEPEh +bK+wHxsk74eEyL6Y2/hXGlLobNGtxjG/OFX1KzV1WcE2qXl3gJnQ72K1KojBICU9MpC 3UnCFXm7gnPfSZ/dMHNsTThwEbSxqgAhhZN84SKvK8gfvszmZyry7oAqDt+CjN0Y5hFu XJMzXoWRYYRsTs7ZKd71z60UDtCzIPAZQ195miiedHQrVB2OvrwkXa7J9TZykbTlDwm5 pKDA== X-Forwarded-Encrypted: i=1; AJvYcCVnsuPlUj22nnSLHdhEAuvIhUAgZphlpDgbHgjdYftwKpdw9sO42a/iNliKsoREd407ARoU2i4frjXB217pQ6YeV4LoVC8nZDDsj5j2T9dk+Mc7 X-Gm-Message-State: AOJu0Yw9RiTVVa08P8DCde5CH8sb93AYKH8MMkKO/JgBA+zh3hUfXyiV xZJWjpgTbZDKaeHrt3cWFxXvikYlSBI33vULhfo9CEdN/jgVW0M8Wc71JPKzhnJPHGYoV5zAbuo IWOL8ekkZVXA0hGLfMM0wfoLo4B8= X-Google-Smtp-Source: AGHT+IGPS7wSdzdpttdavWvrUrlsnz6NbdfwRmGFE7p5Y/UrI9NwVO71DPrn1pfiNKe1CraprWsiPl5sFebocf8t618= X-Received: by 2002:a05:6512:702:b0:51b:af8f:f7c4 with SMTP id b2-20020a056512070200b0051baf8ff7c4mr7627937lfs.52.1714394313958; Mon, 29 Apr 2024 05:38:33 -0700 (PDT) MIME-Version: 1.0 References: <5a79ed71-b365-4b20-80bc-9c2bf97bf84b@iki.fi> <3a6f126c-e1aa-4dcc-9252-9868308f6cf0@iki.fi> In-Reply-To: <3a6f126c-e1aa-4dcc-9252-9868308f6cf0@iki.fi> From: Robert Haas Date: Mon, 29 Apr 2024 08:38:22 -0400 Message-ID: Subject: Re: Direct SSL connection with ALPN and HBA rules To: Heikki Linnakangas Cc: Jacob Champion , Michael Paquier , Postgres hackers Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On Mon, Apr 29, 2024 at 4:38=E2=80=AFAM Heikki Linnakangas wrote: > Making requiredirect to imply sslmode=3Drequire, or error out unless you > also set sslmode=3Drequire, feels like a cavalier way of forcing SSL. We > should have a serious discussion on making sslmode=3Drequire the default > instead. That would be a more direct way of nudging people to use SSL. > It would cause a lot of breakage, but it would also be a big improvement > to security. > > Consider how sslnegotiation=3Drequiredirect/directonly would feel, if we > made sslmode=3Drequire the default. If you explicitly set "sslmode=3Dpref= er" > or "sslmode=3Ddisable", it would be annoying if you would also need to > remove "sslnegotiation=3Drequiredirect" from your connection string. I think making sslmode=3Drequire the default is pretty unworkable, unless we also had a way of automatically setting up SSL as part of initdb or something. Otherwise, we'd have to add sslmode=3Ddisable to a million places just to get the regression tests to work, and every test cluster anyone spins up locally would break in annoying ways, too. I had been thinking we might want to change the default to sslmode=3Ddisable and remove allow and prefer, but maybe automating a basic SSL setup is better. Either way, we should move toward a world where you either ask for SSL and get it, or don't ask for it and don't get it. Being halfway in between is bad. --=20 Robert Haas EDB: http://www.enterprisedb.com