Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1s1WkA-00Cv7s-GY for pgsql-hackers@arkaria.postgresql.org; Mon, 29 Apr 2024 19:32:54 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1s1Wk7-001mBh-RU for pgsql-hackers@arkaria.postgresql.org; Mon, 29 Apr 2024 19:32:52 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1s1Wk7-001mBZ-CI for pgsql-hackers@lists.postgresql.org; Mon, 29 Apr 2024 19:32:52 +0000 Received: from mail-oi1-x22f.google.com ([2607:f8b0:4864:20::22f]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1s1Wk4-000eWu-Nf for pgsql-hackers@lists.postgresql.org; Mon, 29 Apr 2024 19:32:50 +0000 Received: by mail-oi1-x22f.google.com with SMTP id 5614622812f47-3c861a87d6dso1241831b6e.0 for ; Mon, 29 Apr 2024 12:32:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=enterprisedb.com; s=google; t=1714419168; x=1715023968; darn=lists.postgresql.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=jA929f7podnVbfHjHTP3EdYc076WQDR6sUSpPAfklyg=; b=XMYE7PqSbFRfWfWUeIrRefn+gr/GWa0LhkyrslAokZQBVtaw0etAA+9nNGolgRDzjN NfocTNAUc4MKJAwkE9FoK0lLijdrk1YTeJRxnbmLM1dEeLlDNop54cL6F5INtmPlqfrl 9f8Ussn+H9i8KjeNq/c9gLbVBc6hG7H77boqt7ifT0bIUj2oiBN4ImP3cchhzOonln73 oTJZlJHUHv4BvaNzOLoa0g5QCApPpFVYXx6IFEXRhHJCLx0uzRCNF+qMLztr7RQQ54C8 xCgYBLBfeEK11Bk9ANvkZZSf4FdLHAhHVBy8fLjz7T/RHLps1V75qfVc3I90LE+qsNvt hgjw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1714419168; x=1715023968; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=jA929f7podnVbfHjHTP3EdYc076WQDR6sUSpPAfklyg=; b=kckmOT3pAU9SgOIh+g9GnTXHgZ5Z/xg0gxT/2vwBPwfqml88IeXdTKZIyegz6KrmhC FWIjoAf/roqcoOthX+94l52sbuAAn2bpcAXM220FT3T16zh9cw/PWiRZ15lytNzIgqlq 97cDYaChbym0bJAFS6vw5/GmU8oSJeTe053HfKasGhw5m8JWZUOnxiEyT87J1h4CXX9D fo6hO1hDWSAqaVHSPFfZzxSg3IYejJEU0Y+9HxmK0+JhuVBOUBEE9LI3JtJM6d+XUnCS 9hBywWUtWM2UcJfsbn/ozGfQjQ9TTM0i0XMaaOHUDQA5bwwTYvLNWjDrerTo0zu21nh8 UHIg== X-Forwarded-Encrypted: i=1; AJvYcCU4hWIgWNs00XfAir0/2vMA1Ecad6UxTVUDd2ZKVnpLpFvYSfKncy1j2/ihdP0AhWcHzbHjFYyYvsDDrrYZ2orgVWbpqN3PwPQYtxLvVvXPdAAC X-Gm-Message-State: AOJu0YyVaZh4advQyTjHSZrUeasnRf52hkV+ASDBj8MkX1P742j66VaA 34tTHjgJHZnslSNFDV2QED9r5m+AplCGhJBvRlEzW0UGFaBrE1YflqRSIchLjzfWoOatNIdmDVt FvujMOap+Rwa7rbxdGGaQ68Yus+jATXxQE/AI X-Google-Smtp-Source: AGHT+IH+C6Xwrddayu4PAFN0YgUH3v/gF4y+x+US6ACb7EvzlMin/aoDbmDPxUcnps6yPQI7DNgBdWnFE3HQK8vWioA= X-Received: by 2002:a05:6808:11c3:b0:3c8:2bb9:1516 with SMTP id p3-20020a05680811c300b003c82bb91516mr1029933oiv.26.1714419167810; Mon, 29 Apr 2024 12:32:47 -0700 (PDT) MIME-Version: 1.0 References: <5a79ed71-b365-4b20-80bc-9c2bf97bf84b@iki.fi> <3a6f126c-e1aa-4dcc-9252-9868308f6cf0@iki.fi> <1a717f65-7390-4111-8efd-c6e9b213805e@iki.fi> In-Reply-To: <1a717f65-7390-4111-8efd-c6e9b213805e@iki.fi> From: Jacob Champion Date: Mon, 29 Apr 2024 12:32:36 -0700 Message-ID: Subject: Re: Direct SSL connection with ALPN and HBA rules To: Heikki Linnakangas Cc: Daniel Gustafsson , Robert Haas , Michael Paquier , Postgres hackers Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On Mon, Apr 29, 2024 at 12:06=E2=80=AFPM Heikki Linnakangas wrote: > On 29/04/2024 21:43, Jacob Champion wrote: > > But if you're in that situation, what does the use of directonly give > > you over `sslnegotiation=3Ddirect`? You already know that servers > > support direct, so there's no additional performance penalty from the > > less strict mode. > > Well, by that argument we don't need requiredirect/directonly at all. > This goes back to whether it's a security feature or a performance featur= e. That's what I've been trying to argue, yeah. If it's not a security feature... why's it there? > There is a small benefit with sslmode=3Dprefer if you connect to a server > that doesn't support SSL, though. With sslnegotiation=3Ddirect, if the > server rejects the direct SSL connection, the client will reconnect and > try SSL with SSLRequest. The server will respond with 'N', and the > client will proceed without encryption. sslnegotiation=3Ddirectonly > removes that SSLRequest attempt, eliminating one roundtrip. Okay, agreed that in this case, there is a performance benefit. It's not enough to convince me, honestly, but are there any other cases I missed as well? > Oh I was not aware sslrootcert=3Dsystem works like that. That's a bit > surprising, none of the other ssl-related settings imply or require that > SSL is actually used. For sslrootcert=3Dsystem in particular, the danger of accidentally weak sslmodes is pretty high, especially for verify-ca mode. (It goes back to that other argument -- there should be, effectively, zero users who both opt in to the public CA system, and are also okay with silently falling back and not using it.) > Did we intend to set a precedence for new settings > with that? (I'll let committers answer whether they intended that or not -- I was just bringing up that we already have a setting that works like that, and I really like how it works in practice. But it's probably unsurprising that I like it.) --Jacob