Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1rxw19-00DFbx-OV for pgsql-hackers@arkaria.postgresql.org; Fri, 19 Apr 2024 21:43:36 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1rxw18-005gnJ-0d for pgsql-hackers@arkaria.postgresql.org; Fri, 19 Apr 2024 21:43:34 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1rxw17-005gnB-KS for pgsql-hackers@lists.postgresql.org; Fri, 19 Apr 2024 21:43:33 +0000 Received: from lahtoruutu.iki.fi ([185.185.170.37]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1rxw13-003fsv-D7 for pgsql-hackers@lists.postgresql.org; Fri, 19 Apr 2024 21:43:31 +0000 Received: from [192.168.1.115] (dsl-hkibng22-54f8db-125.dhcp.inet.fi [84.248.219.125]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: hlinnaka) by lahtoruutu.iki.fi (Postfix) with ESMTPSA id 4VLp6h4Wb9z49Q0f; Sat, 20 Apr 2024 00:43:24 +0300 (EEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=lahtoruutu; t=1713563006; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=hyFAS89LVrH/paC6+2EBNiw3brCKvUNjruKTT6ynVHg=; b=mzUAl8P/g+VTnCDEGeCLd/oE6mYLBjnIoZCurUrafp/EA9nj+9UB3NMB5eb25DIoIhnD9C TE8IHnzEPtkOUMVqSaKIwj/tMkJiQBXOw+mzlwddR7gt3eqnZeudfnfd2fEKU4DgItuED3 h8gr7A73qL4AvJnsDC4I7q5qnJg/kgRxkTZU59F2Q+xejQEE8PQOWbC7y6doJlUG6k0yU0 FSvpeybYIZzE2q8ck0XTyzCZhrC7yIocw0HAsmDYcvaZhW6/aUFDHdBzNyXn5FcotJk9gn eIOxmiA+ysKkkFPOvChSE1pDbK7Q4o6ZHGdCvPMLMbeBsTls13j17P8OQELxjg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=lahtoruutu; t=1713563006; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=hyFAS89LVrH/paC6+2EBNiw3brCKvUNjruKTT6ynVHg=; b=WHWPhWtOM/f77MrzJySdjED7GuopByJhVwJbeO3+d0vjkqyALEanit54TCmHUWAsNQo50/ TSnkideyv18AIV2XwMCLBTqzDa+oOoyfwp4g/FOHzI5eNXM/oe4pIYkJbn9gY5tnoOy2ee pcYwMjkIWSFBX5YOblwQ3cHo36YN9OIVvoXtfO5C/jfxSOGfJPIaIv4Xqzv72+kVUQvoBB UnuB/96G+yUr5mHpR98X8YjH5FITGea1u7EZvUM3Why89xpD8jPhE8z+33c9JV0UafkmvS BAFmTK4oXzX1G6ENa8KcRVvs1lNiaLdl3hGp7QXCjrwFPwttsZDJXjRKB+vs0Q== ARC-Authentication-Results: i=1; ORIGINATING; auth=pass smtp.auth=hlinnaka smtp.mailfrom=hlinnaka@iki.fi ARC-Seal: i=1; s=lahtoruutu; d=iki.fi; t=1713563006; a=rsa-sha256; cv=none; b=c89cL2tHojkCHQAx/yhgefNB+DLh8hGLX9/ciedyZ0WwmJamDr8j/v2LZfoH39oqDZzugQ DvBEB+xzPUfZBv+1VaKqtZ+oVFlJM36kAX05ehDEfKLMBuV+s0/uutLfoRUaUcZW3qAiQl t8/uvIuB3GrRFcOtBfe9y0QVA4QS5cfj8GJK0wfoSaLLmpnNUixZYV+LuomfL5vmGzvezv 3amRckUMXlv1qb0q3ZPCUsO5JpaA7ql/swCW/KA4FMvzgSorZbPugxYbzxpcDuQiEd2NpX ZHm/VxrOn9KDxx6tFwjKjl8t7XYOqEjKgD0mZnvw4zIXNwunK9cWeWfduR8UIA== Message-ID: Date: Sat, 20 Apr 2024 00:43:24 +0300 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: Direct SSL connection with ALPN and HBA rules To: Jacob Champion Cc: Michael Paquier , Postgres hackers References: Content-Language: en-US From: Heikki Linnakangas In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On 19/04/2024 19:48, Jacob Champion wrote: > On Fri, Apr 19, 2024 at 6:56 AM Heikki Linnakangas wrote: >> With direct SSL negotiation, we always require ALPN. > > (As an aside: I haven't gotten to test the version of the patch that > made it into 17 yet, but from a quick glance it looks like we're not > rejecting mismatched ALPN during the handshake as noted in [1].) Ah, good catch, that fell through the cracks. Agreed, the client should reject a direct SSL connection if the server didn't send ALPN. I'll add that to the Open Items so we don't forget again. >> I don't see direct SSL negotiation as a security feature. > > `direct` mode is not, since it's opportunistic, but I think people are > going to use `requiredirect` as a security feature. At least, I was > hoping to do that myself... > >> Rather, the >> point is to reduce connection latency by saving one round-trip. For >> example, if gssencmode=prefer, but the server refuses GSS encryption, it >> seems fine to continue with negotiated SSL, instead of establishing a >> new connection with direct SSL. > > Well, assuming the user is okay with plaintext negotiation at all. > (Was that fixed before the patch went in? Is GSS negotiation still > allowed even with requiredirect?) To disable sending the startup packet in plaintext, you need to use sslmode=require. Same as before the patch. GSS is still allowed, as it takes precedence over SSL if both are enabled in libpq. Per the docs: > Note that if gssencmode is set to prefer, a GSS connection is > attempted first. If the server rejects GSS encryption, SSL is > negotiated over the same TCP connection using the traditional > postgres protocol, regardless of sslnegotiation. In other words, the > direct SSL handshake is not used, if a TCP connection has already > been established and can be used for the SSL handshake. >> What would be the use case of requiring >> direct SSL in the server? What extra security do you get? > > You get protection against attacks that could have otherwise happened > during the plaintext portion of the handshake. That has architectural > implications for more advanced uses of SCRAM, and it should prevent > any repeats of CVE-2021-23222/23214. And if the peer doesn't pass the > TLS handshake, they can't send you anything that you might forget is > untrusted (like, say, an error message). Can you elaborate on the more advanced uses of SCRAM? >> Controlling these in HBA is a bit inconvenient, because you only find >> out after authentication if it's allowed or not. So if e.g. direct SSL >> connections are disabled for a user, > > Hopefully disabling direct SSL piecemeal is not a desired use case? > I'm not sure it makes sense to focus on that. Forcing it to be enabled > shouldn't have the same problem, should it? Forcing it to be enabled piecemeal based on role or database has similar problems. Forcing it enabled for all connections seems sensible, though. Forcing it enabled based on the client's source IP address, but not user/database would be somewhat sensible too, but we don't currently have the HBA code to check the source IP and accept/reject SSLRequest based on that. The HBA rejection always happens after the client has sent the startup packet. -- Heikki Linnakangas Neon (https://neon.tech)