Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1s5Qe5-005LQ3-6n for pgsql-hackers@arkaria.postgresql.org; Fri, 10 May 2024 13:50:45 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1s5Qe3-00FbgO-J6 for pgsql-hackers@arkaria.postgresql.org; Fri, 10 May 2024 13:50:43 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1s5Qe3-00Fbg6-62 for pgsql-hackers@lists.postgresql.org; Fri, 10 May 2024 13:50:43 +0000 Received: from meesny.iki.fi ([2001:67c:2b0:1c1::201]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1s5Qe0-000LHL-2U for pgsql-hackers@lists.postgresql.org; Fri, 10 May 2024 13:50:42 +0000 Received: from [192.168.1.115] (dsl-hkibng22-54f8db-125.dhcp.inet.fi [84.248.219.125]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: hlinnaka) by meesny.iki.fi (Postfix) with ESMTPSA id 4VbVdP26ykzyRg; Fri, 10 May 2024 16:50:33 +0300 (EEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=meesny; t=1715349034; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=njqfvrDPhCDunjlcIaRjRyPJakBThZZSA1iP0HVM7Kw=; b=wmeFvPxP37x5EjPIN/8J47se+HANMTOgXn75cIknln6+iCVhWnzHvGtlMAl8bq3jr+ZtYW h5EnnAjpe2s5NbbuKEGcptJMTKThWCMKYIJ4mz/L6cQqJBV51+koNFlBakBn6bMlnMfean ysBHR3bToAnBrQRvLZRCVjSssULXNnI= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=meesny; t=1715349034; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=njqfvrDPhCDunjlcIaRjRyPJakBThZZSA1iP0HVM7Kw=; b=LppgTqzTj+lts5Ny1C0beDKnKzXC+qazzkBvvUyx+l5IIMhndiKZmVL2ONk5Zrfa2iHSTv YmTWtKPBpc3ox3RxO1KfMbVEckuaWL83cSVcmdbFOTxJ8bf8OWDFw4/XwKKMF3zgm9g6Bm 6tiN2cIrQJWFDrrbkEgI1y24OoWHgrY= ARC-Authentication-Results: i=1; ORIGINATING; auth=pass smtp.auth=hlinnaka smtp.mailfrom=hlinnaka@iki.fi ARC-Seal: i=1; s=meesny; d=iki.fi; t=1715349034; a=rsa-sha256; cv=none; b=SvwjY4g2wWOO41yo/AwnXhIveOhZcm1LsSsquqEJj2fN0BOCmsbDDfpoBl9nMReAKdJPiD WURhIjYf8IkOk92Ko43CvYpEfsceKbTTUMLkrCJXTXYL9Dq2PpiLHrlv4l6GEa6c1aa1fw X4cjVbVgUjnhklFmgvG24S9HO0eh9wE= Message-ID: Date: Fri, 10 May 2024 16:50:32 +0300 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: Direct SSL connection with ALPN and HBA rules To: Jacob Champion Cc: Daniel Gustafsson , Robert Haas , Michael Paquier , Postgres hackers References: <5a79ed71-b365-4b20-80bc-9c2bf97bf84b@iki.fi> <3a6f126c-e1aa-4dcc-9252-9868308f6cf0@iki.fi> <1a717f65-7390-4111-8efd-c6e9b213805e@iki.fi> Content-Language: en-US From: Heikki Linnakangas In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On 29/04/2024 22:32, Jacob Champion wrote: > On Mon, Apr 29, 2024 at 12:06 PM Heikki Linnakangas wrote: >> There is a small benefit with sslmode=prefer if you connect to a server >> that doesn't support SSL, though. With sslnegotiation=direct, if the >> server rejects the direct SSL connection, the client will reconnect and >> try SSL with SSLRequest. The server will respond with 'N', and the >> client will proceed without encryption. sslnegotiation=directonly >> removes that SSLRequest attempt, eliminating one roundtrip. > > Okay, agreed that in this case, there is a performance benefit. It's > not enough to convince me, honestly, but are there any other cases I > missed as well? I realized one case that hasn't been discussed so far: If you use the combination of "sslmode=prefer sslnegotiation=requiredirect" to connect to a pre-v17 server that has SSL enabled but does not support direct SSL connections, you will fall back to a plaintext connection instead. That's almost certainly not what you wanted. I'm coming around to your opinion that we should not allow that combination. Stepping back to summarize my thoughts, there are now three things I don't like about the status quo: 1. As noted above, the sslmode=prefer and sslnegotiation=requiredirect combination is somewhat dangerous, as you might unintentionally fall back to plaintext authentication when connecting to a pre-v17 server. 2. There is an asymmetry between "postgres" and "direct" option names. "postgres" means "try only traditional negotiation", while "direct" means "try direct first, and fall back to traditional negotiation if it fails". That is apparent only if you know that the "requiredirect" mode also exists. 3. The "require" word in "requiredirect" suggests that it's somehow more strict or more secure, similar to sslmode=require. However, I don't consider direct SSL connections to be a security feature. New proposal: - Remove the "try both" mode completely, and rename "requiredirect" to just "direct". So there would be just two modes: "postgres" and "direct". On reflection, the automatic fallback mode doesn't seem very useful. It would make sense as the default, because then you would get the benefits automatically in most cases but still be compatible with old servers. But if it's not the default, you have to fiddle with libpq settings anyway to enable it, and then you might as well use the "requiredirect" mode when you know the server supports it. There isn't anything wrong with it as such, but given how much confusion there's been on how this all works, I'd prefer to cut this back to the bare minimum now. We can add it back in the future, and perhaps make it the default at the same time. This addresses points 2. and 3. above. and: - Only allow sslnegotiation=direct with sslmode=require or higher. This is what you, Jacob, wanted to do all along, and addresses point 1. Thoughts? -- Heikki Linnakangas Neon (https://neon.tech)