Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1s030M-000LoZ-9w for pgsql-hackers@arkaria.postgresql.org; Thu, 25 Apr 2024 17:35:30 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1s030J-001FHZ-E7 for pgsql-hackers@arkaria.postgresql.org; Thu, 25 Apr 2024 17:35:28 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1s030J-001FGl-4M for pgsql-hackers@lists.postgresql.org; Thu, 25 Apr 2024 17:35:28 +0000 Received: from mail-lj1-x22e.google.com ([2a00:1450:4864:20::22e]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1s030H-00021j-17 for pgsql-hackers@lists.postgresql.org; Thu, 25 Apr 2024 17:35:27 +0000 Received: by mail-lj1-x22e.google.com with SMTP id 38308e7fff4ca-2def8e58471so14771371fa.0 for ; Thu, 25 Apr 2024 10:35:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1714066524; x=1714671324; darn=lists.postgresql.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=Fpd+83v+ta5A8PKUHkFHJ0DQQ0IIBtCzDKWXHWQX1vA=; b=fivg+r9d7Nu6ld4uFugnB3vBoLHvSLp/DDRDZSjUHIxZAdRR3ZIaRuMspaFmfR6PRp J1jmEts9YkIifbl7a29W51nsvagxwtGi1rm3CoyieIUiZl/uG77a56kK+Am/3dRczeN8 713IO5rcz5zh7DnOmkYFLqHxx8Bjt6gVLM9SVTLtTQK7MS80xiRcIvHpE2gWG7fZxR3L OmlSdIzYdF+h8VcIgyRW03t6wo2TlQN8yYtqY3E3RrDeGt8hBQAzaSfVy7gfLfTxGiaS EI0qx7GJu3Tqs4+CXsC+bJPqdBjrYKifQukb5BVGTekCr/9Z6CsspjB6o7bP1c+2S9xo mMsg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1714066524; x=1714671324; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Fpd+83v+ta5A8PKUHkFHJ0DQQ0IIBtCzDKWXHWQX1vA=; b=VWHunbt4mZflVyxcpiFzJTAEPimFMnLI90M8KgHf/HXu2GUxUpQhdAHB+VC2as9Q+E bHHzVmXib3uHUVZliO3EhZTjpsM0ABWyplgzLGShO3eoB/W7qBetErrFcX8m5orLuPLK iAcKo0lv8UOTH/QDia7pnrav7Uli/q5pwfLXzoGhIxo2IWd4hItoc5od7ZD00mPuHiN5 trUrjuzcHkm3Z3E6B+LJQTKgBZVPAh+hVh93EHhOc+gT3aKI570jGdgQzFOa3faEBEdn p35imQjX40fyDds3AN5PpfNKztBG7E0yyMJI4kd/oCAWPDVlUMCE3A2aeyT2AInOaC+l HpVw== X-Forwarded-Encrypted: i=1; AJvYcCX/wvrdsB+FwAo9Q0tTRsScnVBfuuLju3vUsdREknOKEKGqvNwjXrc/foy/vZHrLhBHsvJpXt9/J5RbLnh3n/mhKE8TrXZ3QuCnBVxti1obj8n4 X-Gm-Message-State: AOJu0Yxx+GqI+XteH8iJYN1j79kN4DuzlHDxw80hP6kmY4s2xt7ALAxU qvXpZNIc0cKAAaKA1bOnb/TNd6Q5zRGig5OWMbT0ZyW8PhQZZO5y20vaMefUHTL2HcrSdoQRVnR aA2oICku/wbF6rcO2lRIhM5//nfE= X-Google-Smtp-Source: AGHT+IHFC7vLzBxMN79jHOUJy1ID1VMFc8XP+MfsRzhdcyTfR9/pi/XCa1KWIj/UiCLwAMd4eABhnGjUOaJrS6gADg4= X-Received: by 2002:a2e:9008:0:b0:2db:a9c9:4c5e with SMTP id h8-20020a2e9008000000b002dba9c94c5emr45918ljg.21.1714066524029; Thu, 25 Apr 2024 10:35:24 -0700 (PDT) MIME-Version: 1.0 References: <5a79ed71-b365-4b20-80bc-9c2bf97bf84b@iki.fi> In-Reply-To: From: Robert Haas Date: Thu, 25 Apr 2024 13:35:12 -0400 Message-ID: Subject: Re: Direct SSL connection with ALPN and HBA rules To: Jacob Champion Cc: Heikki Linnakangas , Michael Paquier , Postgres hackers Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On Thu, Apr 25, 2024 at 12:28=E2=80=AFPM Jacob Champion wrote: > On Thu, Apr 25, 2024 at 9:17=E2=80=AFAM Robert Haas wrote: > > It is difficult to imagine a world in which we have both requiredirect > > and forcedirect and people are not confused. > > Yeah... Any thoughts on a better scheme? require_auth was meant to > lock down overly general authentication; maybe a require_proto or > something could do the same for the transport? I don't understand the difference between the two sets of semantics myself, so I'm not in a good position to comment. > I hate that we have so many options that most people don't need but > take precedence, especially when they're based on the existence of > magic third-party environmental cues (e.g. Kerberos caches). And it > was nice that we got sslrootcert=3Dsystem to turn on strong security and > reject nonsensical combinations. If someone sets `requiredirect` and > leaves the default sslmode, or chooses a weaker one... Is that really > useful to someone? Maybe I'm missing something here, but why doesn't sslnegotiation override sslmode completely? Or alternatively, why not remove sslnegotiation entirely and just have more sslmode values? I mean maybe this shouldn't happen categorically, but if I say I want to require a direct SSL connection, to me that implies that I don't want an indirect SSL connection, and I really don't want a non-SSL connection. I think it's pretty questionable in 2024 whether sslmode=3Dallow and sslmode=3Dprefer make any sense at all. I don't think it would be crazy to remove them entirely. But I certainly don't think that they should be allowed to bleed into the behavior of new, higher-security configurations. Surely if I say I want direct SSL, it's that or nothing, right? --=20 Robert Haas EDB: http://www.enterprisedb.com