Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1rzJqg-0037gj-73 for pgsql-hackers@arkaria.postgresql.org; Tue, 23 Apr 2024 17:22:30 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1rzJqe-009j2m-9h for pgsql-hackers@arkaria.postgresql.org; Tue, 23 Apr 2024 17:22:28 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1rzJqd-009j2e-Vq for pgsql-hackers@lists.postgresql.org; Tue, 23 Apr 2024 17:22:28 +0000 Received: from mail-qk1-x733.google.com ([2607:f8b0:4864:20::733]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1rzJqa-002YRY-JZ for pgsql-hackers@lists.postgresql.org; Tue, 23 Apr 2024 17:22:26 +0000 Received: by mail-qk1-x733.google.com with SMTP id af79cd13be357-78f056f0a53so391749585a.1 for ; Tue, 23 Apr 2024 10:22:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=enterprisedb.com; s=google; t=1713892942; x=1714497742; darn=lists.postgresql.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=76m+46j2VByUlkxm6CV5Z85NFphDXNPNfGnXsJSfI1o=; b=Vfw3EAB7PKm/JyIamD2kHnDMHHM0rz1gCGz/6jgS4VUB8ngOd8n89joDjBgGbp1dny bwdi8uOQxdyAISK5XaZv8vDqxNycN00OoFJVX10ftO7RjZJ887TA+ewZlGnph5pTqtWH LMHUwQUunE4AOZ4IDKX7V31dsQesP+ZlfthRaCdMZqzlBWZBTZIjxI/amYa+aBt8vN8S I1bcx2ptjG3rWQctGcUGBypTyp4M4153asR9XQ6rZZs3UptkMi+xkAFNv3vfjgOKwSK7 YWpetkbCOWzv6O3b1QupDbEJP8Juwd9H7Z1vDstMXmE5WUEvJns63/4W4b7F6h42Hi5d Nehg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1713892942; x=1714497742; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=76m+46j2VByUlkxm6CV5Z85NFphDXNPNfGnXsJSfI1o=; b=niZTTNVDd4BsMgJVNT3lnky99iXcXOKiKwLSOBCd0b9nm1CDIdOfADlxFJ+xFXMV5e 5gl2LS4y7eNFc+jeHKwEl6E3DG0PDUm2jAnWMczsW8sONDeDU7IzbL3ia7KzxX6C7xMY /kV6gdImTLL/s+SkpFP1njrvcCCthIbmBcU0GoSTA5auKf5Cs5A7DEBlsDf9aTPISmdz OGwBZGDP9VMf2twcfKCksskNoXa93AaiYNBcepIrHaUihMJtiBhjjolfIOxsBZPncGpD a1gdQDpvNP6QgRMznQHt44rITSZACkdK/sp4i6QvQomMYEIcaPEK0yLnR9WyEgoy0prY 1qvw== X-Forwarded-Encrypted: i=1; AJvYcCUaNqS0e3YCKwdmXXbBWn67QHcvUfKhfMUIAxmhpgKcLOna60Z62vV9n/utESNIlkWQvzqbexL8AXq0qkvOiiSb4MNsvBx85B61oVca7CPEBRwk X-Gm-Message-State: AOJu0YxM96pmyffTeM7poJsSdLDg+72SjBzpwzkvgB86AUWTwyE8N3Hz ZVNd/BVbcEn8bysCZKZQVvm/ex9dZr4SkXNdpTDz28ckgAqUZkukgtLunDxW4J1GajNSn8R35MD Wfj50ht5BZciWR96FcAb7greOstXkphKKT02R X-Google-Smtp-Source: AGHT+IFp2AC6nvUhKQz6AMv7WyZ5oXPhr0rtnGcfQS1sgaG2uAQa0bpRE2ZUIFHISMv2iXbvk99QjwQPklq+fLJhdiA= X-Received: by 2002:a0c:f810:0:b0:699:2243:2948 with SMTP id r16-20020a0cf810000000b0069922432948mr17846qvn.35.1713892942538; Tue, 23 Apr 2024 10:22:22 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Jacob Champion Date: Tue, 23 Apr 2024 10:22:11 -0700 Message-ID: Subject: Re: Direct SSL connection with ALPN and HBA rules To: Michael Paquier Cc: Heikki Linnakangas , Postgres hackers Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On Mon, Apr 22, 2024 at 10:42=E2=80=AFPM Michael Paquier wrote: > > On Mon, Apr 22, 2024 at 10:47:51AM +0300, Heikki Linnakangas wrote: > > On 22/04/2024 10:19, Michael Paquier wrote: > >> As a whole, I can get behind a unique GUC that forces the use of > >> direct. Or, we could extend the existing "ssl" GUC with a new > >> "direct" value to accept only direct connections and restrict the > >> original protocol (and a new "postgres" for the pre-16 protocol, > >> rejecting direct?), while "on" is able to accept both. > > > > I'd be OK with that, although I still don't really see the point of for= cing > > this from the server side. We could also add this later. > > I'd be OK with doing something only in v18, if need be. Jacob, what > do you think? I think it would be nice to have an option like that. Whether it's done now or in 18, I don't have a strong opinion about. But I do think it'd be helpful to have a consensus on whether or not this is a security improvement, or a performance enhancement only, before adding said option. As it's implemented, if the requiredirect option doesn't actually requiredirect, I think it looks like security but isn't really. (My ideal server-side option removes all plaintext negotiation and forces the use of direct SSL for every connection, paired with a new postgresqls:// scheme for the client. But I don't have any experience making a switchover like that at scale, and I'd like to avoid a StartTLS-vs-LDAPS sort of situation. That's obviously not a conversation for 17.) As for HBA control: overall, I don't see a burning need for an HBA-based configuration, honestly. I'd prefer to reduce the number of knobs and make it easier to apply the strongest security with a broad brush. --Jacob