Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1rxgS9-00AuPR-DM for pgsql-hackers@arkaria.postgresql.org; Fri, 19 Apr 2024 05:06:26 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1rxgS7-00F6L1-Li for pgsql-hackers@arkaria.postgresql.org; Fri, 19 Apr 2024 05:06:23 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1rxgS6-00F6Kt-3S for pgsql-hackers@lists.postgresql.org; Fri, 19 Apr 2024 05:06:23 +0000 Received: from wfout2-smtp.messagingengine.com ([64.147.123.145]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1rxgS2-003Z6F-9W for pgsql-hackers@lists.postgresql.org; Fri, 19 Apr 2024 05:06:20 +0000 Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailfout.west.internal (Postfix) with ESMTP id 429361C0013D for ; Fri, 19 Apr 2024 01:06:16 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute1.internal (MEProxy); Fri, 19 Apr 2024 01:06:16 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paquier.xyz; h= cc:content-type:content-type:date:date:from:from:in-reply-to :message-id:mime-version:reply-to:subject:subject:to:to; s=fm3; t=1713503175; x=1713589575; bh=oToV8BtRyBLLfWYHOb6wt8iHhzE0GZ+H 2c7TIZrvHik=; b=lzY5qFrMipFQJtwIaC1uoDp8C8ENeXd0ZNxvxI2J1N0WQaVK /5H4HGBZyhEYxA7DvC66sR9PdaU9dHJSDKKENYDBZSUeedo74W1Ptk2SEjifPNYX AroHEVzBhT/MFXzcbLzxdhxXYzBdHPbVJybiPoNDI/TgugfrOuVj/HX6fxLuaXJi cVOVB91qCjo6B0wQX/K+ZxvnuZxuULZM4aQaXO5sRwa3m6yn5x0E6vF98q9M5/sN pd10JnUNbbQIde6wdBkUBCusUq0mJv6gRZjekz0gETPtXASYCNcAuzhZC6m8e8us fKJlxUTHHVIqZj3BK3blZcx3xUmDJwEJIy1ZNQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:message-id :mime-version:reply-to:subject:subject:to:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; t= 1713503175; x=1713589575; bh=oToV8BtRyBLLfWYHOb6wt8iHhzE0GZ+H2c7 TIZrvHik=; b=PfK1G9y/W/0BB+SyfkmOSzpXWl8pzolQEXIYaqQsA0twL6WTrAo tyEyM2Wav3oMoxPauyFV0uPshCty425W47BHkCTTnNKrA8O14+JP+lJMl8H0d2Zr 6EZi+bU5HAA7fMGkvQ5fR0ibbv0BgJJPqseKJIONEIG0WVHvJIkOKmxKS26WZpsv dp7Ml05868XSLMOWUN/he62/4RRZRBGDNNi9JRpAinZhnI9xCFLscm+y3WPGL4DE OsvS+Ujr3tTHsxZYqW0Pf6zEgqzRu1gd5PlRtc0K4cR8dpprpD105CqTuXqZJ2Uy GKvHzTKsCvTOEtpQTvGIQHGSG9zeIZWeQww== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvledrudekuddgkeehucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne gfrhhlucfvnfffucdlfeehmdenucfjughrpeffhffvuffkgggtugesghdtreertddtvden ucfhrhhomhepofhitghhrggvlhcurfgrqhhuihgvrhcuoehmihgthhgrvghlsehprghquh hivghrrdighiiiqeenucggtffrrghtthgvrhhnpeeihedvveekjeejudduheegjeeivdfh hfefgeeftdejieelgedtgeffhfetvdevtdenucffohhmrghinhepphhoshhtghhrvghsqh hlrdhorhhgnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhho mhepmhhitghhrggvlhesphgrqhhuihgvrhdrgiihii X-ME-Proxy: Feedback-ID: i0fe9450f:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA for ; Fri, 19 Apr 2024 01:06:14 -0400 (EDT) Date: Fri, 19 Apr 2024 14:06:04 +0900 From: Michael Paquier To: Postgres hackers Subject: Direct SSL connection with ALPN and HBA rules Message-ID: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="3NdCv67WViAsWkUy" Content-Disposition: inline List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --3NdCv67WViAsWkUy Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Hi all, (Heikki in CC.) Since 91044ae4baea (require ALPN for direct SSL connections) and d39a49c1e459 (direct hanshake), direct SSL connections are supported (yeah!), still the thread where this has been discussed does not cover the potential impact on HBA rules: https://www.postgresql.org/message-id/CAM-w4HOEAzxyY01ZKOj-iq%3DM4-VDk%3DvzQgUsuqiTFjFDZaebdg%40mail.gmail.com My point is, would there be a point in being able to enforce that ALPN is used from the server rather than just relying on the client-side sslnegotiation to decide if direct SSL connections should be forced or not? Hence, I'd imagine that we could have an HBA option for hostssl rules, like a negotiation={direct,postgres,all} that cross-checks Port->alpn_used with the option value in a hostssl entry, rejecting the use of connections using direct connections or the default protocol if these are not used, giving users a way to avoid one. As this is a new thing, there may be an argument in this option for security reasons, as well, so as it would be possible for operators to turn that off in the server. Thoughts or comments? -- Michael --3NdCv67WViAsWkUy Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEG72nH6vTowiyblFKnvQgOdbyQH0FAmYh+7wACgkQnvQgOdby QH14uw//dmGU9BLVFDl2HkVPWEZmIQPr/WCycU5ayJRtYlkEknFBFYZEX7xndwLn Qq5PbgXQChKyeVSAwtgGhMGItM310+OT7cdwCyLmwXgR2T7otgAZysTFEnga71hu +Xt3gkAL7/49vl8j/knjXEcVZZURg1n1qS5FIdUZGw+t/3+D63/f3NE352BsgaO5 smQ/RnOMqti/uCeMWoqluishrguJ6jV1M03RU0PnZbijHwBBJIJ0NU8cXoAJIIlx bcCZlUmr7A+N4N1Q/ljbMLcL7ZRNvqdNlXU3+z4oGTabjIiwycSwdArAIp1iSp1o zDJrFremLtNulKJTGUhfmBufw34A6MyodCtNa19CwEEyO7/Iw039z1Fx8ZAtjMLp mh3rSwuMp4Pt1PfD0Aok8TYHq9/2TmSj4jofRMntpKdkyrZqJ++zKvF7Pw4bPq5s 1H3/pnIWGyCYumHnxwQlCM2PZc2wZO09IAmpuB8OwNj7olVK/KLy4Mc3NEcWHjuW FyuDQtyWt+qCT8WekwzpbTu+64hMCJuq4b1X0NH/GS1G5kig1uy0sPQ1HKceWAAt LvjVU7LjxOmnx4dlobkLDSd98R3SMiqtC+KO9f1k8HduVLl72llfJfsnj4jKvaoK VFtQEkmnLEvc0Fg+jvrtN5y+REFg4p4ybejc2cyiy3eLo+eMnWU= =agB9 -----END PGP SIGNATURE----- --3NdCv67WViAsWkUy--