Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1ryoPS-000ccW-H6 for pgsql-hackers@arkaria.postgresql.org; Mon, 22 Apr 2024 07:48:19 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1ryoPR-000XOY-7l for pgsql-hackers@arkaria.postgresql.org; Mon, 22 Apr 2024 07:48:17 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1ryoPQ-000XO1-Qc for pgsql-hackers@lists.postgresql.org; Mon, 22 Apr 2024 07:48:16 +0000 Received: from lahtoruutu.iki.fi ([2a0b:5c81:1c1::37]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1ryoP3-002Ik3-V0 for pgsql-hackers@lists.postgresql.org; Mon, 22 Apr 2024 07:48:16 +0000 Received: from [192.168.1.115] (dsl-hkibng22-54f8db-125.dhcp.inet.fi [84.248.219.125]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: hlinnaka) by lahtoruutu.iki.fi (Postfix) with ESMTPSA id 4VNHRC6PV8z49Q33; Mon, 22 Apr 2024 10:47:51 +0300 (EEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=lahtoruutu; t=1713772072; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=LKlVXdCjt4uNBJiRDhLKqcgu7Z4mIfIBEX/YPuynPmU=; b=iG2u3IbjkTh8jkw1/rkENv6fstxSYOVXx5xiFSyGBLudusMCfXebcmEC5o2usdZOaPFRGo 4OuOEeDd64CLZ1UmZTn8rqAxZ0T4fp886kaUH7uQZkngwa0nduvV7MIZeB0eg5PIoen4Yh nlHVsntBjQuD1Hv8HWHBhvOSyZw4bOzujKDZc+E5dbhvdk8h7jwUCwEGsle3Cm4MObxLc1 jUADVhkdE1hSnMMWBvsbot4xLGRKKGjHj4sJHlTLPwnnmdB7PABxRkuwE6OcMPwMiUAks6 fr7xks6ZqbtAMyJrpiwwMS6uK7rQUjaWSQjhAvEYOM4X16H98PDYh9VgSanemQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=lahtoruutu; t=1713772072; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=LKlVXdCjt4uNBJiRDhLKqcgu7Z4mIfIBEX/YPuynPmU=; b=n9TuTJ2bNzc7+PAVRLTpICOAXSEMSYk8NVnHMIDTUv9JGqM8Ay3LlkKkGBidckHcCAzUN7 uhpso5jwIhfnzVrAAzVUUuhCLGBYCAPd/vcK72kB90xO76Qq0fJlPxu86QrXxQkheQ5Iqs g64RxJyPdIQYz49doBjsFKyjOz0dUtUmW0qSTfcj8x2PEz/K0H9GDKuR49b2p/qgvof9wF Gm6EEaQo/ToHG2F3fEoaCskeS3wDve15cR2OhSGp4Hy2hAYK4l/M+BxCVbeYg8P6eLvTKx qiSF9uILSa7H4kjc42jrVz0juHf3a+wzoAwyM7RPyBerD0VfNX327BQFIrQr5A== ARC-Authentication-Results: i=1; ORIGINATING; auth=pass smtp.auth=hlinnaka smtp.mailfrom=hlinnaka@iki.fi ARC-Seal: i=1; s=lahtoruutu; d=iki.fi; t=1713772072; a=rsa-sha256; cv=none; b=NXcXWG+PdK/hNBNGBnPD+k8A6iwS7q0PDia/P18kWW+Buec9LarxjzrVuT6fHm0ZRzKSin x7J5Ra+UNLdIxpkq7ErQgMwkE3M5pGzh6dQ+JafzMsVdqU3lcYlA9A8Sgrx8ywA58PGeq7 sfg8YGqBzYZWjo9R8jlDrp7vlz9Uxv0rq7SyMNc3pl41HQEii6YRz3kQ4upmOMtk8sptDM nVCHOkas6ynYExVnJK9Mk3SkvVrMaeylBco1xJ89nLixivscaGsouMaSfpwN3lL9DhRYVv +PQSJjQZe6+hi1lZEEA/JWjvHJVqQ6jAKjAMA7j0GJLlNwnd1sUwKIo2Dt2cmQ== Message-ID: Date: Mon, 22 Apr 2024 10:47:51 +0300 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: Direct SSL connection with ALPN and HBA rules To: Michael Paquier Cc: Jacob Champion , Postgres hackers References: Content-Language: en-US From: Heikki Linnakangas In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On 22/04/2024 10:19, Michael Paquier wrote: > On Sat, Apr 20, 2024 at 12:43:24AM +0300, Heikki Linnakangas wrote: >> On 19/04/2024 19:48, Jacob Champion wrote: >>> On Fri, Apr 19, 2024 at 6:56 AM Heikki Linnakangas wrote: >>>> With direct SSL negotiation, we always require ALPN. >>> >>> (As an aside: I haven't gotten to test the version of the patch that >>> made it into 17 yet, but from a quick glance it looks like we're not >>> rejecting mismatched ALPN during the handshake as noted in [1].) >> >> Ah, good catch, that fell through the cracks. Agreed, the client should >> reject a direct SSL connection if the server didn't send ALPN. I'll add that >> to the Open Items so we don't forget again. > > Would somebody like to write a patch for that? I'm planning to look > at this code more closely, as well. I plan to write the patch later today. >>>> Controlling these in HBA is a bit inconvenient, because you only find >>>> out after authentication if it's allowed or not. So if e.g. direct SSL >>>> connections are disabled for a user, >>> >>> Hopefully disabling direct SSL piecemeal is not a desired use case? >>> I'm not sure it makes sense to focus on that. Forcing it to be enabled >>> shouldn't have the same problem, should it? > > I'd get behind the case where a server rejects everything except > direct SSL, yeah. Sticking that into a format similar to HBA rules > would easily give the flexibility to be able to accept or reject > direct or default SSL, though, while making it easy to parse. The > implementation is not really complicated, and not far from the > existing hostssl and nohostssl. > > As a whole, I can get behind a unique GUC that forces the use of > direct. Or, we could extend the existing "ssl" GUC with a new > "direct" value to accept only direct connections and restrict the > original protocol (and a new "postgres" for the pre-16 protocol, > rejecting direct?), while "on" is able to accept both. I'd be OK with that, although I still don't really see the point of forcing this from the server side. We could also add this later. >> Forcing it to be enabled piecemeal based on role or database has similar >> problems. Forcing it enabled for all connections seems sensible, though. >> Forcing it enabled based on the client's source IP address, but not >> user/database would be somewhat sensible too, but we don't currently have >> the HBA code to check the source IP and accept/reject SSLRequest based on >> that. The HBA rejection always happens after the client has sent the startup >> packet. > > Hmm. Splitting the logic checking HBA entries (around check_hba) so > as we'd check for a portion of its contents depending on what the > server has received or not from the client would not be that > complicated. I'd question whether it makes sense to mix this > information within the same configuration files as the ones holding > the current HBA rules. If the same rules are used for the > pre-startup-packet phase and the post-startup-packet phase, we'd want > new keywords for these HBA rules, something different than the > existing sslmode and no sslmode? Sounds complicated, and I don't really see the use case for controlling the direct SSL support in such a fine-grained fashion. It would be nice if we could reject non-SSL connections before the client sends the startup packet, but that's not possible because in a plaintext connection, that's the first packet that the client sends. The reverse would be possible: reject SSLRequest or direct SSL connection immediately, if HBA doesn't allow non-SSL connections from that IP address. But that's not very interesting. HBA-based control would certainly be v18 material. -- Heikki Linnakangas Neon (https://neon.tech)