public inbox for [email protected]
help / color / mirror / Atom feedFrom: Heikki Linnakangas <[email protected]>
To: Jelte Fennema-Nio <[email protected]>
Cc: Jacob Champion <[email protected]>
Cc: Daniel Gustafsson <[email protected]>
Cc: Robert Haas <[email protected]>
Cc: Michael Paquier <[email protected]>
Cc: Postgres hackers <[email protected]>
Subject: Re: Direct SSL connection with ALPN and HBA rules
Date: Mon, 13 May 2024 00:39:07 +0300
Message-ID: <[email protected]> (raw)
In-Reply-To: <CAGECzQS9V5t9-gNtd8pUXR+Rv1vZFE6bPYvt1bO-f+c_UkXGHw@mail.gmail.com>
References: <[email protected]>
<CAOYmi+=sj+1uydS0NR4nYzw-LRWp3Q-s5speBug5UCLSPMbvGA@mail.gmail.com>
<[email protected]>
<CAOYmi+kfsRfopQRTuJwpsO50Urq=-gwYDJ1fWNkDr3oYM1wdjA@mail.gmail.com>
<CA+TgmoZspODpL6AYbANpffhbF+Q12xo1pHXrR9ZSkYfEQWpP3w@mail.gmail.com>
<CAOYmi+k3x-aKiVzyLfzdxFdmcBmVD8UvcwfB075BkNqyA1aa9w@mail.gmail.com>
<CA+TgmobR1R8q-rT06oWdLw_Kp_i67Uey9b+rWVrrpCJVSDNBFQ@mail.gmail.com>
<CAOYmi+=TB8=yfXoBk=p0k0GPaCD79F8xXcypZFkjKmPKuT0hjQ@mail.gmail.com>
<[email protected]>
<CAOYmi+nWKJNihuMpT+ZVTC5-d+pQdACTK7xKhhwAB075EHrOMg@mail.gmail.com>
<[email protected]>
<CAOYmi+k2kJcJLMj=K4Vb3S_J6tN6989Wfi5+amqf15VkHcej3Q@mail.gmail.com>
<[email protected]>
<CAOYmi+mAfO2hXfpOrpjhSZZf7Rq-rCywdyyfygkqbZ0KZjOBTg@mail.gmail.com>
<[email protected]>
<CAGECzQS9V5t9-gNtd8pUXR+Rv1vZFE6bPYvt1bO-f+c_UkXGHw@mail.gmail.com>
On 11/05/2024 23:45, Jelte Fennema-Nio wrote:
> On Fri, 10 May 2024 at 15:50, Heikki Linnakangas <[email protected]> wrote:
>> New proposal:
>>
>> - Remove the "try both" mode completely, and rename "requiredirect" to
>> just "direct". So there would be just two modes: "postgres" and
>> "direct". On reflection, the automatic fallback mode doesn't seem very
>> useful. It would make sense as the default, because then you would get
>> the benefits automatically in most cases but still be compatible with
>> old servers. But if it's not the default, you have to fiddle with libpq
>> settings anyway to enable it, and then you might as well use the
>> "requiredirect" mode when you know the server supports it. There isn't
>> anything wrong with it as such, but given how much confusion there's
>> been on how this all works, I'd prefer to cut this back to the bare
>> minimum now. We can add it back in the future, and perhaps make it the
>> default at the same time. This addresses points 2. and 3. above.
>>
>> and:
>>
>> - Only allow sslnegotiation=direct with sslmode=require or higher. This
>> is what you, Jacob, wanted to do all along, and addresses point 1.
>>
>> Thoughts?
>
> Sounds mostly good to me. But I think we'd want to automatically
> increase sslmode to require if it is unset, but sslnegotation is set
> to direct. Similar to how we bump sslmode to verify-full if
> sslrootcert is set to system, but sslmode is unset. i.e. it seems
> unnecessary/unwanted to throw an error if the connection string only
> contains sslnegotiation=direct
I find that error-prone. For example:
1. Try to connect to a server with direct negotiation: psql "host=foobar
dbname=mydb sslnegotiation=direct"
2. It fails. Maybe it was an old server? Let's change it to
sslnegotiation=postgres.
3. Now it succeeds. Great!
You might miss that by changing sslnegotiation to 'postgres', or by
removing it altogether, you not only made it compatible with older
server versions, but you also allowed falling back to a plaintext
connection. Maybe you're fine with that, but maybe not. I'd like to
nudge people to use sslmode=require, not rely on implicit stuff like
this just to make connection strings a little shorter.
I'm not a fan of sslrootcert=system implying sslmode=verify-full either,
for the same reasons. But at least "sslrootcert" is a clearly
security-related setting, so removing it might give you a pause, whereas
sslnegotition is about performance and compatibility.
In v18, I'd like to make sslmode=require the default. Or maybe introduce
a new setting like "encryption=ssl|gss|none", defaulting to 'ssl'. If we
want to encourage encryption, that's the right way to do it. (I'd still
recommend everyone to use an explicit sslmode=require in their
connection strings for many years, though, because you might be using an
older client without realizing it.)
--
Heikki Linnakangas
Neon (https://neon.tech)
view thread (29+ messages) latest in thread
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected]
Subject: Re: Direct SSL connection with ALPN and HBA rules
In-Reply-To: <[email protected]>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox