| From: | Ranier Vilela <ranier(dot)vf(at)gmail(dot)com> |
|---|---|
| To: | Pg Hackers <pgsql-hackers(at)postgresql(dot)org> |
| Cc: | Heikki Linnakangas <hlinnaka(at)iki(dot)fi>, Jacob Champion <jchampion(at)timescale(dot)com>, Peter Eisentraut <peter(at)eisentraut(dot)org>, Robert Haas <robertmhaas(at)gmail(dot)com>, Michael Paquier <michael(at)paquier(dot)xyz> |
| Subject: | re: Direct SSL connection and ALPN loose ends |
| Date: | 2024-04-29 17:10:44 |
| Message-ID: | CAEudQAr=MYq_xYkRcV+gTFydLrVdiMtBxjJ+Lv8ENUEs1gchdQ@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Hi,
With TLS 1.3 and others there is possibly a security flaw using ALPN [1].
It seems to me that the ALPN protocol can be bypassed if the client does
not correctly inform the ClientHello header.
So, the suggestion is to check the ClientHello header in the server and
terminate the TLS handshake early.
Patch attached.
best regards,
Ranier Vilela
[1] terminate-tlsv1-3-handshake-if-alpn-is-missing
<https://stackoverflow.com/questions/77271498/terminate-tlsv1-3-handshake-if-alpn-is-missing>
| Attachment | Content-Type | Size |
|---|---|---|
| terminate-tls-handshake-if-no-alpn.patch | application/octet-stream | 1.9 KB |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Mark Hill | 2024-04-29 17:47:10 | CVE's addressed in next update |
| Previous Message | Chris Cleveland | 2024-04-29 16:17:15 | Possible to get LIMIT in an index access method? |