Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1s01n1-000AXi-6t for pgsql-hackers@arkaria.postgresql.org; Thu, 25 Apr 2024 16:17:39 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1s01m0-000KTd-Ep for pgsql-hackers@arkaria.postgresql.org; Thu, 25 Apr 2024 16:16:37 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1s01m0-000KTU-4Z for pgsql-hackers@lists.postgresql.org; Thu, 25 Apr 2024 16:16:37 +0000 Received: from mail-qt1-x82a.google.com ([2607:f8b0:4864:20::82a]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1s01lt-0001KL-8M for pgsql-hackers@lists.postgresql.org; Thu, 25 Apr 2024 16:16:35 +0000 Received: by mail-qt1-x82a.google.com with SMTP id d75a77b69052e-439dfa27003so6584321cf.2 for ; Thu, 25 Apr 2024 09:16:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=enterprisedb.com; s=google; t=1714061787; x=1714666587; darn=lists.postgresql.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=9rjHh2mfzrQ0dr36kc6N4Cw7bbv+1DybzQxyUPsj+GA=; b=jP6vDyrID7EROSfXfmO77eoozTE1zIf9verMKZxDqqj+8qTRdpxRzoguvB4SHed9dW sozM7w2KLuhpJ+rrUzWHAtNgAImQZQOtT2dXG12dXZwgIHS/mPM7Zv4AyOC7ihZjwkHf da5w73HljEk68O6Y3GhHEzEYXSSAP+kuZOg3IK1Lc067yAsD7EZdNIH/97jhJ2dD26K6 rrLAfIhDyTA/cZNR6dyZfV7QKHjQkYwL5M8nswS97rIeehISFyBUO7zcmGDbxnLtGGbD 2+HdAv0RPrv4L0y/UHBUWnExUT8LjbcMw0GIQHFK1IkiYNWQF0toMk8rFdY3XscJRH3E M2qg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1714061787; x=1714666587; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=9rjHh2mfzrQ0dr36kc6N4Cw7bbv+1DybzQxyUPsj+GA=; b=RIYuU1FaozUg/kk+EDl287W2XRKNO1FLd6um6p9nhFtNjKol+vqxgenP7oYzruDTEi vO3AMwzhK1lm0V22qQ+XGCHUfJgGRVW9STApPOtbopW0RfhFuY7u98b4Xa7jT9U9/f+6 cmaFDv109ybn/uF1QhRoduvFsdd1WRYiT7aWKtJpvqDUxz0vqGcFySEO3Dgzdo5879+F ywd7egwc3GxvryWDydjkocHZcPedPRdOBuLQc6RomYKOmFS5iTCKT5SAGZgnlO50RJbC aj2uFAdOMbaQo76+O9fyQiBcWcbRAilLwlX7jCNAD/iuoEcQj4C4w3tb/aIHxlHyAeEy J/Cw== X-Forwarded-Encrypted: i=1; AJvYcCX98zGJ3LzkaU7zrVz+hu5LftlrN4QwS3uIe+cdta0RnVuNYJuHGxBvii3OKcm09QLy2UCIw9dzvCBEvr+kkt2qC+T4K1fXXfxt2MMZSI9lbiQE X-Gm-Message-State: AOJu0YzyiTK5DFmQHgnD+Lj0c5qDFKU5wBNZwi/N4zMQn9BHZ97EYQ1c FVwVkuyjz5Ui/i+muHKIINL53HqFLdPNufSmAKohJEKJ23sndD1GN9QXitzqCpM0OVSkLWgp3Ug wcTsm6iPkTGZyZDbza2Y4auewvVjevbIMKZL1 X-Google-Smtp-Source: AGHT+IFeheh05L1wOkXSMqUAklmKQXAuKFFmuQEILkP2NZi9JbicwwysFSTEiKwZHiKBVkPCPAldAi8OU85NG+aFWMo= X-Received: by 2002:ad4:5ba3:0:b0:6a0:6304:53fa with SMTP id 3-20020ad45ba3000000b006a0630453famr318407qvq.7.1714061786804; Thu, 25 Apr 2024 09:16:26 -0700 (PDT) MIME-Version: 1.0 References: <5a79ed71-b365-4b20-80bc-9c2bf97bf84b@iki.fi> In-Reply-To: <5a79ed71-b365-4b20-80bc-9c2bf97bf84b@iki.fi> From: Jacob Champion Date: Thu, 25 Apr 2024 09:16:16 -0700 Message-ID: Subject: Re: Direct SSL connection with ALPN and HBA rules To: Heikki Linnakangas Cc: Robert Haas , Michael Paquier , Postgres hackers Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On Tue, Apr 23, 2024 at 2:20=E2=80=AFPM Heikki Linnakangas wrote: > > Attached patch tries to fix and clarify those. s/negotiatied/negotiated/ in the attached patch, but other than that this seems like a definite improvement. Thanks! > (Note that the client will only attempt GSSAPI encryption if it can find > kerberos credentials in the environment.) Right. I don't like that it still happens with sslnegotiation=3Drequiredirect, but I suspect that this is not the thread to complain about it in. Maybe I can propose a sslnegotiation=3Dforcedirect or something for 18, to complement a postgresqls:// scheme. That leaves the ALPACA handshake correction, I think. (Peter had some questions on the original thread [1] that I've tried to answer.) And the overall consensus, or lack thereof, on whether or not `requiredirect` should be considered a security feature. Thanks, --Jacob [1] https://www.postgresql.org/message-id/e782e9f4-a0cd-49f5-800b-5e32a1b29= 183%40eisentraut.org