From: | Heikki Linnakangas <hlinnaka(at)iki(dot)fi> |
---|---|
To: | Jacob Champion <jacob(dot)champion(at)enterprisedb(dot)com> |
Cc: | Peter Eisentraut <peter(at)eisentraut(dot)org>, Robert Haas <robertmhaas(at)gmail(dot)com>, Michael Paquier <michael(at)paquier(dot)xyz>, pgsql-hackers <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: Direct SSL connection and ALPN loose ends |
Date: | 2024-06-24 20:30:53 |
Message-ID: | c82ad227-e049-4e18-8898-475a748b5a5a@iki.fi |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On 21/06/2024 02:32, Jacob Champion wrote:
> On Thu, Jun 20, 2024 at 4:13 PM Heikki Linnakangas <hlinnaka(at)iki(dot)fi> wrote:
>>> By "negotiation" I mean the server's response to the startup packet.
>>> I.e. "supported"/"not supported"/"error".
>>
>> Ok, I'm still a little confused, probably a terminology issue. The
>> server doesn't respond with "supported" or "not supported" to the
>> startup packet, that happens earlier. I think you mean the SSLRequst /
>> GSSRequest packet, which is sent *before* the startup packet?
>
> Yes, sorry. (I'm used to referring to those as startup packets too, ha.)
Yeah I'm not sure what the right term would be.
>> Hmm, right, GSS encryption was introduced in v12, and older versions
>> respond with an error to a GSSRequest.
>>
>> We probably could make the same assumption for GSS as we did for TLS in
>> a49fbaaf, i.e. that an error means that something's wrong with the
>> server, rather than that it's just very old and doesn't support GSS. But
>> the case for that is a lot weaker case than with TLS. There are still
>> pre-v12 servers out there in the wild.
>
> Right. Since we default to gssencmode=prefer, if you have Kerberos
> creds in your environment, I think this could potentially break
> existing software that connects to v11 servers once you upgrade libpq.
When you connect to a V11 server and attempt to perform GSSAPI
authentication, it will respond with a V3 error that says: "unsupported
frontend protocol 1234.5680: server supports 2.0 to 3.0". That was a
surprise to me until I tested it just now. I thought that it would
respond with a protocol V2 error, but it is not so. The backend sets
FrontendProtocol to 1234.5680 before sending the error, and because it
is >= 3, the error is sent with protocol version 3.
Given that, I think it is a good thing to fail the connection completely
on receiving a V2 error.
Attached is a patch to fix the other issue, with falling back from SSL
to plaintext. And some tests and comment fixes I spotted while at it.
0001: A small comment fix
0002: This is the main patch that fixes the SSL fallback issue
0003: This adds fault injection tests to exercise these early error
codepaths. It is not ready to be merged, as it contains a hack to skip
locking. See thread at
https://www.postgresql.org/message-id/e1ffb822-054e-4006-ac06-50532767f75b%40iki.fi.
0004: More tests, for what happens if the server sends an error after
responding "yes" to the SSLRequest or GSSRequest, but before performing
the SSL/GSS handshake.
Attached is also a little stand-alone perl program that listens on a
socket, and when you connect to it, it immediately sends a V2 or V3
error, depending on the argument. That's useful for testing. It could be
used as an alternative strategy to the injection points I used in the
0003-0004 patches, but for now I just used it for manual testing.
--
Heikki Linnakangas
Neon (https://neon.tech)
Attachment | Content-Type | Size |
---|---|---|
0001-Fix-outdated-comment-after-removal-of-direct-SSL-fal.patch | text/x-patch | 1.0 KB |
0002-Fix-fallback-behavior-when-server-sends-an-ERROR-ear.patch | text/x-patch | 2.3 KB |
0003-WIP-Add-injection-points-and-test-for-early-backend-.patch | text/x-patch | 7.6 KB |
0004-WIP-Add-tests-for-errors-during-ssl-or-gssapi-handsh.patch | text/x-patch | 2.9 KB |
serve-pgsql-error.pl | application/x-perl | 830 bytes |
From | Date | Subject | |
---|---|---|---|
Next Message | Nikolay Shaplov | 2024-06-24 20:33:29 | Re: POC, WIP: OR-clause support for indexes |
Previous Message | Robert Haas | 2024-06-24 20:28:28 | Re: RFC: Additional Directory for Extensions |