Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1rzJXJ-0035yX-3v for pgsql-hackers@arkaria.postgresql.org; Tue, 23 Apr 2024 17:02:29 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1rzJXH-009f66-B6 for pgsql-hackers@arkaria.postgresql.org; Tue, 23 Apr 2024 17:02:27 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1rzJXG-009f5y-Qq for pgsql-hackers@lists.postgresql.org; Tue, 23 Apr 2024 17:02:26 +0000 Received: from mail-qk1-x72e.google.com ([2607:f8b0:4864:20::72e]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1rzJXD-002YJo-LA for pgsql-hackers@lists.postgresql.org; Tue, 23 Apr 2024 17:02:25 +0000 Received: by mail-qk1-x72e.google.com with SMTP id af79cd13be357-78efd533a00so398474985a.0 for ; Tue, 23 Apr 2024 10:02:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=enterprisedb.com; s=google; t=1713891741; x=1714496541; darn=lists.postgresql.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=vjTJfE4WZtjOJE/XrSAO1Vh7rwwexHnickH9DFsJEYY=; b=VLeHChbZY3kgoeH5/VLKjo9/q7EP+sdH4cNZSu6SRDWzVcZmkLEgIMNSypZ7u8WclL SJgIXiZYa/823Ihv+7JkcD+iWz2St8MKoGjh+1K1t8+5VsrqWekAgJGiRP+2r/uiq4p1 E/xJ77t6imyvS1P/xMwE3UOg19xGoZoK2uDMYYBu7TJjEMzuBOVqqFRE04yxayxwRHx6 GnbtiO+DKTvPg5iL6roiwjIpvhSEk5If/BSp75TppufPZSYjBqLR+LKj+dUvC22ggFiO Tv4WdbtaNgW13EBspDx7lkbJZ/P0xRsctzRF1I8gILxP0hPXIyy/ZUYccEme0qx24nSd N3+Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1713891741; x=1714496541; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=vjTJfE4WZtjOJE/XrSAO1Vh7rwwexHnickH9DFsJEYY=; b=ZYYdOckntjnpAxyDd7BNEhLb7CMTAaQfst/GKvygVfvQSZBsawCIrL8RuzPY/2W7YT zsgUs1q8gr6deHjI2VU2fTFvC5rHDR0xzgPyixe8SQugp9tVSezUJuBQJTk6LD52VKDr NK5EO2NRvVbrGvcncPmNCDqTzt3wCkhGBePCGPfce5SZIgeDoHcEwdgELB2cQluyfyox jdVIUuqPfBO4MuDA4C8Qyfv4OyG0aSgLBB3lfmNhZMR1I26eOOEjnpKL1MIZYor/RHJx l5nxZ+cPxD5oJlWjMyKfLBO7r0KoFikYi0DwqiDHjeWJHqJ+Bb6vam1Keox40VuJJBIk 3tOg== X-Forwarded-Encrypted: i=1; AJvYcCX39FOQLsf4tpb+YdU6bX6R2Asrc4Roxi8gsVhq9Bs9zhQlJS86A9PlGorAnb9OJp91uLIqsbqP6Z7/kSm4KrX7DXA72jxdyrkxIDkDEgNO+ZVw X-Gm-Message-State: AOJu0YycmPFJiDFFjSB1PgF+pZpaW8pI5tRsmU2LzdDx6tdP4Ri2pPP4 vbO53C44dmJXwkWQW0rXICLGBVBrlES3NZCYvl8jIMm1bS2l4eh17xIlOLTJUV8ikHt7koFjL8/ BIn3hfUmf/EPpMLKeXKTninA+UkyvPDVNtfFW X-Google-Smtp-Source: AGHT+IGjPtk9zOphoxZmaK7XyI5wQc/YqP0OOO9tTtKNorWchDF75ZepZGywsu0JbnLC7JPh7i2gm8Dio4Ur5HoDG9U= X-Received: by 2002:a0c:d791:0:b0:6a0:7de0:a267 with SMTP id z17-20020a0cd791000000b006a07de0a267mr7165465qvi.59.1713891741322; Tue, 23 Apr 2024 10:02:21 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Jacob Champion Date: Tue, 23 Apr 2024 10:02:10 -0700 Message-ID: Subject: Re: Direct SSL connection with ALPN and HBA rules To: Heikki Linnakangas Cc: Michael Paquier , Postgres hackers Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On Fri, Apr 19, 2024 at 2:43=E2=80=AFPM Heikki Linnakangas wrote: > > On 19/04/2024 19:48, Jacob Champion wrote: > > On Fri, Apr 19, 2024 at 6:56=E2=80=AFAM Heikki Linnakangas wrote: > >> With direct SSL negotiation, we always require ALPN. > > > > (As an aside: I haven't gotten to test the version of the patch that > > made it into 17 yet, but from a quick glance it looks like we're not > > rejecting mismatched ALPN during the handshake as noted in [1].) > > Ah, good catch, that fell through the cracks. Agreed, the client should > reject a direct SSL connection if the server didn't send ALPN. I'll add > that to the Open Items so we don't forget again. Yes, the client should also reject, but that's not what I'm referring to above. The server needs to fail the TLS handshake itself with the proper error code (I think it's `no_application_protocol`?); otherwise a client implementing a different protocol could consume the application-level bytes coming back from the server and act on them. That's the protocol confusion attack from ALPACA we're trying to avoid. > > Well, assuming the user is okay with plaintext negotiation at all. > > (Was that fixed before the patch went in? Is GSS negotiation still > > allowed even with requiredirect?) > > To disable sending the startup packet in plaintext, you need to use > sslmode=3Drequire. Same as before the patch. GSS is still allowed, as it > takes precedence over SSL if both are enabled in libpq. Per the docs: > > > Note that if gssencmode is set to prefer, a GSS connection is > > attempted first. If the server rejects GSS encryption, SSL is > > negotiated over the same TCP connection using the traditional > > postgres protocol, regardless of sslnegotiation. In other words, the > > direct SSL handshake is not used, if a TCP connection has already > > been established and can be used for the SSL handshake. Oh. That's actually disappointing, since gssencmode=3Dprefer is the default. A question I had in the original thread was, what's the rationale behind a "require direct ssl" option that doesn't actually require it? > >> What would be the use case of requiring > >> direct SSL in the server? What extra security do you get? > > > > You get protection against attacks that could have otherwise happened > > during the plaintext portion of the handshake. That has architectural > > implications for more advanced uses of SCRAM, and it should prevent > > any repeats of CVE-2021-23222/23214. And if the peer doesn't pass the > > TLS handshake, they can't send you anything that you might forget is > > untrusted (like, say, an error message). > > Can you elaborate on the more advanced uses of SCRAM? If you're using SCRAM to authenticate the server, as opposed to just a really strong password auth, then it really helps an analysis of the security to know that there are no plaintext bytes that have been interpreted by the client. This came up briefly in the conversations that led to commit d0f4824a. To be fair, it's a more academic concern at the moment; my imagination can only come up with problems for SCRAM-based TLS that would also be vulnerabilities for standard certificate-based TLS. But whether or not it's an advantage for the code today is also kind of orthogonal to my point. The security argument of direct SSL mode is that it reduces risk for the system as a whole, even in the face of future code changes or regressions. If you can't force its use, you're not reducing that risk very much. (If anything, a "require" option that doesn't actually require it makes the analysis more complicated, not less...) > >> Controlling these in HBA is a bit inconvenient, because you only find > >> out after authentication if it's allowed or not. So if e.g. direct SSL > >> connections are disabled for a user, > > > > Hopefully disabling direct SSL piecemeal is not a desired use case? > > I'm not sure it makes sense to focus on that. Forcing it to be enabled > > shouldn't have the same problem, should it? > > Forcing it to be enabled piecemeal based on role or database has similar > problems. Hm. For some reason I thought it was easier the other direction, but I can't remember why I thought that. I'll withdraw the comment for now :) --Jacob