From: | Magnus Hagander <magnus(at)hagander(dot)net> |
---|---|
To: | ronald(dot)van(dot)de(dot)kuil(at)nl(dot)ibm(dot)com, pgsql-bugs(at)lists(dot)postgresql(dot)org |
Subject: | Re: BUG #17919: "client hello" message / SNI / Openshift Routes |
Date: | 2023-05-03 16:03:04 |
Message-ID: | CABUevExLSZss7rJ9DwD=EYCoYw=-pGG_npg83eXqxFFReQwK1A@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-bugs |
On Wed, May 3, 2023 at 5:57 PM PG Bug reporting form
<noreply(at)postgresql(dot)org> wrote:
>
> The following bug has been logged on the website:
>
> Bug reference: 17919
> Logged by: Ronald van de Kuil
> Email address: ronald(dot)van(dot)de(dot)kuil(at)nl(dot)ibm(dot)com
> PostgreSQL version: 15.2
> Operating system: windows server 2019
> Description:
>
> I have deployed postgresql in Openshift with a certificate that matches its
> openshift route name.
>
> Then it should be possible to connect to the database instance via targeting
> the route in psql. The way that works, is that the openshift router looks at
> the SNI, and then it will be able to route it into the Pod that has the
> certificate with the same CN or SAN.
>
> I have wiresharked the connection, and noticed that psql does not send a
> client hello message.
>
> I would make a guess that this is related to the version of libpq, based on
> something which has been seen before on another project that is using
> postgresql in combination with terraform, see:
> https://github.com/cyrilgdn/terraform-provider-postgresql/pull/295
>
> When I take a look at the latest source code then I believe that provision
> have been made for setting up SNI connections:
>
> https://github.com/postgres/postgres/blob/master/doc/src/sgml/libpq.sgml#L1946
>
> Is this a bug?
What proxy do you use in openshift, and is it PostgreSQL aware?
PostgreSQL will send the client hello message *after* it has
negotiated with the server that SSL should be used. So to use SNI to
route things, you need a proxy that's aware of the PostgreSQL
protocol, performs the SSL negotiation and *then* looks at the SNI
packages. (In the documentation source link you sent, that is
explained in line 1957-1959).
--
Magnus Hagander
Me: https://www.hagander.net/
Work: https://www.redpill-linpro.com/
From | Date | Subject | |
---|---|---|---|
Next Message | Devrim Gündüz | 2023-05-03 22:23:43 | Re: BUG #17918: Checksum failed while sync repos for a package |
Previous Message | Cyrus Lozano | 2023-05-03 15:18:30 | Re: BUG #17917: to_tsquery syntax error |