Re: Feature Proposal: Add ssltermination parameter for SNI-based LoadBalancing - Mailing list pgsql-hackers

From Lukas Meisegeier
Subject Re: Feature Proposal: Add ssltermination parameter for SNI-based LoadBalancing
Date
Msg-id 1ef7d393-8966-af7c-f235-262cfa9478c4@gmx.de
Whole thread Raw
In response to Re: Feature Proposal: Add ssltermination parameter for SNI-based LoadBalancing  (Heikki Linnakangas <hlinnaka@iki.fi>)
List pgsql-hackers
Hey Heikki,

thanks for providing feedback :)
The traffic between proxy and psql-server is unencrypted thats why I
don't need to patch the server.
I tried returning a fixed response on the first plain SSLRequest
forwarding it to a psql-server with ssl enabled an tried to switch then
on the ssl connection startup but that didn't work out. I guess its
because the psql-server won't accept an ssl connection if its not
requested via SSLRequest.
I would definitly appreciate if the psql-server could accept the
TLS-client hello directly but we would still need to set the
tls-sni-extension correctly.
Perhaps we could rename the parameter to "sslplainrequest(yes/no)" and
start with making the plain SSLRequest optional in the psql-server.

Best Regards
Lukas


Am 11-Dec-20 um 14:26 schrieb Heikki Linnakangas:
> On 10/12/2020 17:49, Lukas Meisegeier wrote:
>> I try to host multiple postgresql-servers on the same ip and the same
>> port through SNI-based load-balancing.
>> Currently this is not possible because of two issues:
>> 1. The psql client won't set the tls-sni-extension correctly
>> (https://www.postgresql.org/message-id/20181211145240.GL20222%40redhat.com)
>>
>> 2. The psql connection protocol implements a SSLRequest in plain text
>> before actually opening a connection.
>>
>> The first issue is easily solvable by calling
>> `SSL_set_tlsext_host_name(conn->ssl,
>> conn->connhost[conn->whichhost].host)` before opening the connection.
>>
>> The second issue is also solvable through a new parameter
>> "ssltermination" which if set to "proxy" will skip the initial
>> SSLRequest and connects directly through ssl.
>> The default value would be "server" which changes nothing on the
>> existing behaviour.
>
> Don't you need backend changes as well? The backend will still expect
> the client to send an SSLRequest. Or is the connection from the proxy to
> the actual server unencrypted?
>
> It's not very nice that the client needs to set special options,
> depending on whether the server is behind a proxy or not. Could you
> teach the proxy to deal with the SSLRequest message?
>
> Perhaps we should teach the backend to accept a TLS ClientHello
> directly, without the SSLRequest message. That way, the client could
> send the ClientHello without SSLRequest, and the proxy wouldn't need to
> care about SSLRequest. It would also eliminate one round-trip from the
> protocol handshake, which would be nice. A long deprecation/transition
> period would be needed before we could make that the default behavior,
> but that's ok.
>
> - Heikki



pgsql-hackers by date:

Previous
From: Konstantin Knizhnik
Date:
Subject: Re: On login trigger: take three
Next
From: Konstantin Knizhnik
Date:
Subject: Re: On login trigger: take three