From: | Heikki Linnakangas <hlinnaka(at)iki(dot)fi> |
---|---|
To: | Jacob Champion <jacob(dot)champion(at)enterprisedb(dot)com> |
Cc: | Peter Eisentraut <peter(at)eisentraut(dot)org>, Robert Haas <robertmhaas(at)gmail(dot)com>, Michael Paquier <michael(at)paquier(dot)xyz>, pgsql-hackers <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: Direct SSL connection and ALPN loose ends |
Date: | 2024-06-17 15:23:54 |
Message-ID: | c936c7bd-e559-4a25-adc5-b1fe81635630@iki.fi |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On 17/06/2024 17:11, Jacob Champion wrote:
> On Mon, Apr 29, 2024 at 8:24 AM Heikki Linnakangas <hlinnaka(at)iki(dot)fi> wrote:
>> I was mostly worried about the refactoring of the
>> retry logic in libpq (and about the pre-existing logic too to be honest,
>> it was complicated before these changes already).
>
> Some changes in the v17 negotiation fallback order caught my eye:
>
> 1. For sslmode=prefer, a modern v3 error during negotiation now
> results in a fallback to plaintext. For v16 this resulted in an
> immediate failure. (v2 errors retain the v16 behavior.)
> 2. For gssencmode=prefer, a legacy v2 error during negotiation now
> results in an immediate failure. In v16 it allowed fallback to SSL or
> plaintext depending on sslmode.
>
> Are both these changes intentional/desirable? Change #1 seems to
> partially undo the decision made in a49fbaaf:
>
>> Don't assume that "E" response to NEGOTIATE_SSL_CODE means pre-7.0 server.
>>
>> These days, such a response is far more likely to signify a server-side
>> problem, such as fork failure. [...]
>>
>> Hence, it seems best to just eliminate the assumption that backing off
>> to non-SSL/2.0 protocol is the way to recover from an "E" response, and
>> instead treat the server error the same as we would in non-SSL cases.
They were not intentional. Let me think about the desirable part :-).
By "negotiation", which part of the protocol are we talking about
exactly? In the middle of the TLS handshake? After sending the startup
packet?
I think the behavior with v2 and v3 errors should be the same. And I
think an immediate failure is appropriate on any v2/v3 error during
negotiation, assuming we don't use those errors for things like "TLS not
supported", which would warrant a fallback.
--
Heikki Linnakangas
Neon (https://neon.tech)
From | Date | Subject | |
---|---|---|---|
Next Message | David E. Wheeler | 2024-06-17 15:52:10 | FYI: LLVM Runtime Crash |
Previous Message | Robert Haas | 2024-06-17 15:21:18 | Re: Conflict Detection and Resolution |