Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1s6fg7-0013NG-5X for pgsql-hackers@arkaria.postgresql.org; Tue, 14 May 2024 00:06:00 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1s6fg6-006wYK-Ty for pgsql-hackers@arkaria.postgresql.org; Tue, 14 May 2024 00:05:58 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1s6fg6-006wYC-JR for pgsql-hackers@lists.postgresql.org; Tue, 14 May 2024 00:05:58 +0000 Received: from mail-qk1-x734.google.com ([2607:f8b0:4864:20::734]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1s6fg2-0006OZ-A2 for pgsql-hackers@lists.postgresql.org; Tue, 14 May 2024 00:05:57 +0000 Received: by mail-qk1-x734.google.com with SMTP id af79cd13be357-792ce7a1febso114973185a.1 for ; Mon, 13 May 2024 17:05:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=enterprisedb.com; s=google; t=1715645153; x=1716249953; darn=lists.postgresql.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=vbaeiNe3kE9Y9zxU867vhRFLiauq39L80vJK8On8/b0=; b=fhpGk0thd/nwm/MicKzTlKXRJ7Q1NewLMZCzRu2bD96W3r2CRnMWqpTunup066cVGu hcQ/bPv4QCeTcBM7zQK8jXzGtVoJOyGXYnujlrrp8a8OxAaNKCCmDo8MERkXxm8s10fA mb18e+qfpuREEvBUrcQIGVGjB0cW9R1iLQBtP91QEP7xKGXI2iiAD35GB3PG14IzcnH3 YFxq2w/ttm5SbIissUqqNUlcMvU+afFAuEQ71I/yXMMuz2J0wNfKg9gFnR57PMgI287U /gKMFXI4owGWmLx2d5GlZ0kH2kan2BtKlw9Kv0/97ybMBth9fqRjcPDmtzlOuM6eYEsa vHoQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1715645153; x=1716249953; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=vbaeiNe3kE9Y9zxU867vhRFLiauq39L80vJK8On8/b0=; b=iCx/IbY9pULhlRtWQidnHtFgBuChTnf9SKbHXvN74clh/2Kl/QQJ85uTopxIHkmhHw HB6S5PbFYePmz70ObvLgaARxM/dG/tPZcfu5RDIQR2hQ2H2mEldkDHPM1dyN7ZGBZiHO Ipq3P9IYmD7yUZu8SlmmGQyWa/jMws2WjE0GEDI9+afVQyqhymC7b+EEKxQ0drT37YOX XcKlttrxDSLOYWfCI1dwCjlB0a50OrFYd4Q7NeuPjsImfMvCPbV0z6lUT02rEKV0SBcF Hi6UFAMEGIaRzXTNK3N/Fk3wc9F6xnFYUhLxedTlaochk+5QXeisU4/IUT1lcVbwCKU/ DGJw== X-Forwarded-Encrypted: i=1; AJvYcCXGQT2WQQzue0oEqhnGpLAjKZM8UINNQhBb0T3O+J9zUq0S5WLwLTbXEFGCvhaybsBOgpL6jSaGfAnpk0x+EvW0jITIQORZ3X9vmeorveJodo3t X-Gm-Message-State: AOJu0YzyUDuzs+FGBSI/yorDyz4RbxsyfbpZYBl0DjHsDJ9GjlP/vB/n f+/fZLHXS6JqkmuSkK/eY8pthCqdxupRaIdWXdB7/wO3fM+R/D4sEulPod0DRTvW4/jebXMKA8u i/k4vZIS3UgYnkUMcB7/xnGekOPsR+qxcCo9T X-Google-Smtp-Source: AGHT+IHOGORl6CC3C+S8/6X55bVwsvbSEL9ItGdpSdrvOyEJZsnBuLqIC7x04IKOjZCQ5DT/FkJ9TkrIJ8eFBZeoc/A= X-Received: by 2002:a05:6214:3993:b0:6a0:991b:ecf1 with SMTP id 6a1803df08f44-6a168142dcfmr131537416d6.5.1715645152905; Mon, 13 May 2024 17:05:52 -0700 (PDT) MIME-Version: 1.0 References: <3a6f126c-e1aa-4dcc-9252-9868308f6cf0@iki.fi> <1a717f65-7390-4111-8efd-c6e9b213805e@iki.fi> In-Reply-To: From: Jacob Champion Date: Mon, 13 May 2024 17:05:41 -0700 Message-ID: Subject: Re: Direct SSL connection with ALPN and HBA rules To: Heikki Linnakangas Cc: Jelte Fennema-Nio , Daniel Gustafsson , Robert Haas , Michael Paquier , Postgres hackers Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk [this should probably belong to a different thread, but I'm not sure what to title it] On Mon, May 13, 2024 at 4:08=E2=80=AFAM Heikki Linnakangas wrote: > I think these options should be designed from the user's point of view, > so that the user can specify the risks they're willing to accept, and > the details of how that's accomplished are handled by libpq. For > example, I'm OK with (tick all that apply): > > [ ] passive eavesdroppers seeing all the traffic > [ ] MITM being able to hijack the session > [ ] connecting without verifying the server's identity > [ ] divulging the plaintext password to the server > [ ] ... I'm pessimistic about a quality-of-protection scheme for this use case (*). I don't think users need more knobs in their connection strings, and many of the goals of transport encryption are really not independent from each other in practice. As evidence I point to the absolute mess of GSSAPI wrapping, which lets you check separate boxes for things like "require the server to authenticate itself" and "require integrity" and "allow MITMs to reorder messages" and so on, as if the whole idea of "integrity" is useful if you don't know who you're talking to in the first place. I think I recall slapd having something similarly arcane (but at least it doesn't make the clients do it!). Those kinds of APIs don't evolve well, in my opinion. I think most people probably just want browser-grade security as quickly and cheaply as possible, and we don't make that very easy today. I'll try to review a QoP scheme if someone works on it, don't get me wrong, but I'd much rather spend time on a "very secure by default" mode that gets rid of most of the options (i.e. a postgresqls:// scheme). (*) I've proposed quality-of-protection in the past, for Postgres proxy authentication [1]. But I'm comfortable in my hypocrisy, because in that case, the end user doing the configuration is a DBA with a config file who is expected to understand the whole system, and it's a niche use case (IMO) without an obvious "common setup". And frankly I think my proposal is unlikely to go anywhere; the cost/benefit probably isn't good enough. > If you need to verify > the server's identity, it implies sslmode=3Dverify-CA or > channel_binding=3Dtrue. Neither of those two options provides strong authentication of the peer, and personally I wouldn't want them to be considered worthy of "verify the server's identity" mode. And -- taking a wild leap here -- if we disagree, then granularity becomes a problem: either the QoP scheme now has to have sub-checkboxes for "if the server knows my password, that's good enough" and "it's fine if the server's hostname doesn't match the cert, for some reason", or it smashes all of those different ideas into one setting and then I have to settle for the weakest common denominator during an active attack. Assuming I haven't missed a third option, will that be easier/better than the status quo of require_auth+sslmode? > A different line of thought is that to keep the attack surface as smal > as possible, you should specify very explicitly what exactly you expect > to happen in the authentication, and disallow any variance. For example, > you expect SCRAM to be used, with a certificate signed by a particular > CA, and if the server requests anything else, that's suspicious and the > connection is aborted. We should make that possible too That's 'require_auth=3Dscram-sha-256 sslmode=3Dverify-ca', no? --Jacob [1] https://www.postgresql.org/message-id/0768cedb-695a-8841-5f8b-da2aa64c8= f3a%40timescale.com