Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1s03c7-000RrO-DJ for pgsql-hackers@arkaria.postgresql.org; Thu, 25 Apr 2024 18:14:31 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1s03b6-001Z6m-MN for pgsql-hackers@arkaria.postgresql.org; Thu, 25 Apr 2024 18:13:29 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1s03b6-001Z6d-Bf for pgsql-hackers@lists.postgresql.org; Thu, 25 Apr 2024 18:13:29 +0000 Received: from mail-qv1-xf29.google.com ([2607:f8b0:4864:20::f29]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1s03b3-0002Ky-Kv for pgsql-hackers@lists.postgresql.org; Thu, 25 Apr 2024 18:13:28 +0000 Received: by mail-qv1-xf29.google.com with SMTP id 6a1803df08f44-69b50b8239fso13475896d6.0 for ; Thu, 25 Apr 2024 11:13:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=enterprisedb.com; s=google; t=1714068803; x=1714673603; darn=lists.postgresql.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=VbReL4sgV4muGBORuRU5JrzDGXJ3TTRebym1T1gX1/A=; b=IzEIqZXDMmz4+WW6gGjZOpRJ9DVeBnN31gTvLNycP8+dUC2Ieg9nVzsqLjrRbwJLvI ziYLpXqcGOWAgv8cwLxSYeUm952EOGegOw+tYw2LGCTvqMEr6fUXnAmBmjzrA21IzD9N u/x0r2cR3nl2F/WZTAE9x8/dNKseMSjCGoo5bmOnbSf0GvkyXxxrakh4Qjr+9jm7zpzD H/+OLgrAfwkIJ3mjo3NMBwBfvLa6qaYcfFaHVkC8fq/8SpzM+aRch5ngQ0IK9871w7hv IY5jNVLOpCHRqAeN7ajVRXkAmkVW4+sTaXXUYP+ddd2PxNkaA2j+AekfL6hKTu5TY+Zy AtsQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1714068803; x=1714673603; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=VbReL4sgV4muGBORuRU5JrzDGXJ3TTRebym1T1gX1/A=; b=vbkBYPk7KuUClCLxUkFmQ8OcL4V3y1yUcPXMF0n/tuDZETtqQJ72nVsM/XnqdEKWLQ DjjjxiK6ZNvEW1Gdd7V90ck8E9ahYHiO3z62Uu1tNVYcUg8fFJ9QCiDEyCrde0rLDU7U k37FOGVzsq2eY8WlYjs9uES68qXFf+i2zMvIa8npSRhtrDHgS3LfaSfeChEyLAtAIKXf qbU+iDX2ndVe8orut0FR+gn2KXw6MepAg/NTEi19o4hi/fjin+3d4SEnaOurPVhiIy7H nqPPVTAasScxCprcShNm2GrzOzAHF7gp85wdev33KP3n3OKsRRbU51UnsE2XyH9ZkpNw /lRg== X-Forwarded-Encrypted: i=1; AJvYcCUTgjWgVCzHkGY+RO0S2Gtjpv9ff47IAVKk3kJiHEa4eV8sFplzGlg5bkEmqmehtRrXk7uP9FNK/ixI/W3xAuy4jXOAhkyCkI4FAibmX3eXLnsU X-Gm-Message-State: AOJu0YwgUtgRWxqEOTAAuK8pKN4J7/1G1Moq6Lgd5BXEwh+s/VYg+ny4 ANkqeHpMxH0f/bSPIYQ+B7KmlPrtFf1LcjGF1/gT31JAD8R86tV3kRm8jEObpsoW2uVkrom87j0 3xSYTQCFESVnypHMNvbxi7x7VbZKi4WRVAIUL X-Google-Smtp-Source: AGHT+IFVQN4QJu0hL5DAUAuCJziG6liDRrAe88A7fcP0Clkwl0k5SsmrXJomn2LA0pZv55onnd2VYV+klKHRsqbq3tw= X-Received: by 2002:a05:6214:488:b0:6a0:9d96:abd4 with SMTP id pt8-20020a056214048800b006a09d96abd4mr843729qvb.24.1714068803563; Thu, 25 Apr 2024 11:13:23 -0700 (PDT) MIME-Version: 1.0 References: <5a79ed71-b365-4b20-80bc-9c2bf97bf84b@iki.fi> In-Reply-To: From: Jacob Champion Date: Thu, 25 Apr 2024 11:13:12 -0700 Message-ID: Subject: Re: Direct SSL connection with ALPN and HBA rules To: Robert Haas Cc: Heikki Linnakangas , Michael Paquier , Postgres hackers Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On Thu, Apr 25, 2024 at 10:35=E2=80=AFAM Robert Haas wrote: > Maybe I'm missing something here, but why doesn't sslnegotiation > override sslmode completely? Or alternatively, why not remove > sslnegotiation entirely and just have more sslmode values? I mean > maybe this shouldn't happen categorically, but if I say I want to > require a direct SSL connection, to me that implies that I don't want > an indirect SSL connection, and I really don't want a non-SSL > connection. I think that comes down to the debate upthread, and whether you think it's a performance tweak or a security feature. My take on it is, `direct` mode is performance, and `requiredirect` is security. (Especially since, with the current implementation, requiredirect can slow things down?) > I think it's pretty questionable in 2024 whether sslmode=3Dallow and > sslmode=3Dprefer make any sense at all. I don't think it would be crazy > to remove them entirely. But I certainly don't think that they should > be allowed to bleed into the behavior of new, higher-security > configurations. Surely if I say I want direct SSL, it's that or > nothing, right? I agree, but I more or less lost the battle at [1]. Like Matthias mentioned in [2]: > I'm not sure about this either. The 'gssencmode' option is already > quite weird in that it seems to override the "require"d priority of > "sslmode=3Drequire", which it IMO really shouldn't. Thanks, --Jacob [1] https://www.postgresql.org/message-id/CAOYmi%2B%3DcnV-8V8TndSkEF6Htqa7q= HQUL_KnQU8-DrT0Jjnm3_Q%40mail.gmail.com [2] https://www.postgresql.org/message-id/CAEze2Wi9j5Q3mRnuoD2Hr%3DeOFV-cMz= WAUZ88YmSXSwsiJLQOWA%40mail.gmail.com