Re: Introducing SNI in TLS handshake for SSL connections

From: Pablo Iranzo Gómez <Pablo(dot)Iranzo(at)redhat(dot)com>
To: Andreas Karlsson <andreas(at)proxel(dot)se>
Cc: pgsql-hackers(at)postgresql(dot)org
Subject: Re: Introducing SNI in TLS handshake for SSL connections
Date: 2018-12-14 07:37:08
Message-ID: 20181214073708.GQ20222@redhat.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

Hi,

+++ Andreas Karlsson [13/12/18 01:30 +0100]:
>On 12/11/18 3:52 PM, Pablo Iranzo Gómez wrote:
>>I came to this old thread while trying to figure out on how to setup
>>postgres replication behind OpenShift/Kubernetes behind a route
>>(which only forwards 80 or 443 traffic), but could work if SNI is
>>supported on the client using it.
>
>Hm ... while hacking at a patch for this I gave your specific problem
>some more thought.
>
>I am not familiar with OpenShift or Kubernetes but I want you to be
>aware of that whatever proxy you are going to use will still need to
>be aware of, at least a subset of, the PostgreSQL protocol, since
>similar to SMTP's STARTTLS command the PostgreSQL client will start
>out using the plain text PostgreSQL protocol and then request the
>server to switch over to SSL[1]. So it would be necessary to add
>support for this to whatever proxy you intend to use.
>
>Do you know if adding such custom protocol support is easy to do to
>the proxies you refer to? And do you have any links to documentation
>for these solutions?

I saw that they did incorporate some changes like SPDY support and other
http related things.

Let me try to find an answer (now sure how long will it take) and come
back.

I've did some basic search at
https://git.haproxy.org/?p=haproxy.git;a=summary but nothing evident
(for me).

I'll keep you updated.
Pablo

>
>Notes
>
>1. https://www.postgresql.org/docs/11/protocol-flow.html#id-1.10.5.7.11
>
>Andreas

--

Pablo Iranzo Gómez (Pablo(dot)Iranzo(at)redhat(dot)com) GnuPG: 0x5BD8E1E4
Senior Software Engineer - Solutions Engineering iranzo @ IRC
RHC{A,SS,DS,VA,E,SA,SP,AOSP}, JBCAA #110-215-852 RHCA Level V

Blog: https://iranzo.github.io https://citellus.org

In response to

Browse pgsql-hackers by date

  From Date Subject
Next Message Michael Meskes 2018-12-14 07:42:21 Re: [PROPOSAL]a new data type 'bytea' for ECPG
Previous Message Rushabh Lathia 2018-12-14 06:02:09 Re: Hitting CheckRelationLockedByMe() ASSERT with force_generic_plan