Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1rxoil-00CBrw-3G for pgsql-hackers@arkaria.postgresql.org; Fri, 19 Apr 2024 13:56:07 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1rxoij-002gQZ-FC for pgsql-hackers@arkaria.postgresql.org; Fri, 19 Apr 2024 13:56:05 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1rxoij-002gQR-1n for pgsql-hackers@lists.postgresql.org; Fri, 19 Apr 2024 13:56:05 +0000 Received: from lahtoruutu.iki.fi ([185.185.170.37]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1rxoie-003cgf-Ma for pgsql-hackers@lists.postgresql.org; Fri, 19 Apr 2024 13:56:03 +0000 Received: from [192.168.1.115] (dsl-hkibng22-54f8db-125.dhcp.inet.fi [84.248.219.125]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: hlinnaka) by lahtoruutu.iki.fi (Postfix) with ESMTPSA id 4VLblJ1HS2z49Q4y; Fri, 19 Apr 2024 16:55:55 +0300 (EEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=lahtoruutu; t=1713534956; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=N46EVRfloIR27i7SnHYQACAwmW59MWFdYUc9ZjVcyR4=; b=oV0EKVMYCHrbrGzsQaIkM44rPRX5ZTd5T3ZTZKC6W6terxoDjclU5eLerNluhmK0LI11S0 cJF9/Geb7xBA9Te7P8QOe7Cdr9NcM/AW7x/4GRiEgEIXISJYU3t4EPXqfEWAvdIwT6EhOe UDxUB8vHm3Os3qB8gJOTQX7V4hlqBGMwgI2MVb2bBpUaKe/E3/g88IaDzxj0QAlteQkDuL MzOsdVM38gWflvVBhvsM1NtQmwvd5oUK9x19sfZ5DcO2fxTyx3Abdzyd5IsKc/QkqXTDvS ZOWoBDfCVNCEwI1y3rBr5lwKvKYL3173IuRCp7DMsdV5+rHgWaGu1BefG4QcGA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=lahtoruutu; t=1713534956; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=N46EVRfloIR27i7SnHYQACAwmW59MWFdYUc9ZjVcyR4=; b=o00X20WjP2iS6Vm+7xkm1ZdG134sqg6Ktr1+U+HwqMBtds2/zmrkzoIkeAH0tpz4qXkVx1 cfX6gTRkTV4BAvXr7oTNcLDg6wSMQjun5Qg9O02VrsTNMkvdXaGMNFg2ZITKERA/8TV2Cg HeZOgc+b81GgNcKvbOAv364JGMgTmiNlX7rJgNImTY96dyDrcJ+nUlJzzFqtsmRidEvFTe FlpXZepeGzykM1oIgmEltTS9jHVsOhT+mPFhtxYFLy9071ex8KbHdZk187wugP1lH85cYe JOzySxRwoS6EkRRL640DFekYiZgrQhuhUN/9smI8MxaKYo0kyztaThi0X0sXRA== ARC-Authentication-Results: i=1; ORIGINATING; auth=pass smtp.auth=hlinnaka smtp.mailfrom=hlinnaka@iki.fi ARC-Seal: i=1; s=lahtoruutu; d=iki.fi; t=1713534956; a=rsa-sha256; cv=none; b=NJLPA8UfGU7IEhIESD4TVcSFuokUN0FTg2vpuDBByz/QjBZXFfTTsnMJ8RaR4KHmyqBQiK BCHZvbsu8N+ePKaoILV28bn3PMBiwXvfOIZnyhbZARiBj6v2eWaknMDFYQ8AEzDB1kN+zV x2mV0xbp0er6lR3Sfkzoa09w4ran0s0w9ztEIUlcUYoY2vRncGSlghfyNSzcB5HzfJdE8n KIGeH1zZktWPYfEfuTQt/nJkYssGTMiEFC2l0DYklhnBNKOX1qNMDW34UJNStdFMVPsNqc mwdbdxZu3h3Z8EvJZTQNeUcuM+8+QI6K4jASRebmbBs8C4ytjD5l6k41ScdcZg== Message-ID: Date: Fri, 19 Apr 2024 16:55:55 +0300 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: Direct SSL connection with ALPN and HBA rules To: Michael Paquier , Postgres hackers , Jacob Champion References: Content-Language: en-US From: Heikki Linnakangas In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On 19/04/2024 08:06, Michael Paquier wrote: > Hi all, > (Heikki in CC.) (Adding Jacob) > Since 91044ae4baea (require ALPN for direct SSL connections) and > d39a49c1e459 (direct hanshake), direct SSL connections are supported > (yeah!), still the thread where this has been discussed does not cover > the potential impact on HBA rules: > https://www.postgresql.org/message-id/CAM-w4HOEAzxyY01ZKOj-iq%3DM4-VDk%3DvzQgUsuqiTFjFDZaebdg%40mail.gmail.com > > My point is, would there be a point in being able to enforce that ALPN > is used from the server rather than just relying on the client-side > sslnegotiation to decide if direct SSL connections should be forced or > not? > > Hence, I'd imagine that we could have an HBA option for hostssl rules, > like a negotiation={direct,postgres,all} that cross-checks > Port->alpn_used with the option value in a hostssl entry, rejecting > the use of connections using direct connections or the default > protocol if these are not used, giving users a way to avoid one. As > this is a new thing, there may be an argument in this option for > security reasons, as well, so as it would be possible for operators to > turn that off in the server. I don't think ALPN gives any meaningful security benefit, when used with the traditional 'postgres' SSL negotiation. There's little possibility of mixing that up with some other protocol, so I don't see any need to enforce it from server side. This was briefly discussed on that original thread [1]. With direct SSL negotiation, we always require ALPN. I don't see direct SSL negotiation as a security feature. Rather, the point is to reduce connection latency by saving one round-trip. For example, if gssencmode=prefer, but the server refuses GSS encryption, it seems fine to continue with negotiated SSL, instead of establishing a new connection with direct SSL. What would be the use case of requiring direct SSL in the server? What extra security do you get? Controlling these in HBA is a bit inconvenient, because you only find out after authentication if it's allowed or not. So if e.g. direct SSL connections are disabled for a user, the client would still establish a direct SSL connection, send the startup packet, and only then get rejected. The client would not know if it was rejected because of the direct SSL or for some reason, so it needs to retry with negotiated SSL. Currently, as it is master, if the TLS layer is established with direct SSL, you never need to retry with traditional negotiation, or vice versa. [1] https://www.postgresql.org/message-id/CAAWbhmjetCVgu9pHJFkQ4ejuXuaz2mD1oniXokRHft0usCa7Yg%40mail.gmail.com -- Heikki Linnakangas Neon (https://neon.tech)