Re: Direct SSL connection and ALPN loose ends - Mailing list pgsql-hackers
| From | Andres Freund |
|---|---|
| Subject | Re: Direct SSL connection and ALPN loose ends |
| Date | |
| Msg-id | 20240617183335.k42zab6hdl3zhakf@awork3.anarazel.de Whole thread Raw |
| In response to | Direct SSL connection and ALPN loose ends (Heikki Linnakangas <hlinnaka@iki.fi>) |
| List | pgsql-hackers |
Hi, On 2024-04-29 18:24:04 +0300, Heikki Linnakangas wrote: > All reported bugs have now been fixed. We now enforce ALPN in all the right > places. Please let me know if I missed something. Very minor and not really your responsibility: If provided with the necessary key information, wireshark can decode TLS exchanges when using sslnegotiation=postgres but not with direct. Presumably it needs to be taught postgres' ALPN id or something. Example with direct: 476 6513.310308457 192.168.0.113 → 192.168.0.200 48978 5432 142 TLSv1.3 Finished 477 6513.310341492 192.168.0.113 → 192.168.0.200 48978 5432 151 TLSv1.3 Application Data 478 6513.320730295 192.168.0.200 → 192.168.0.113 5432 48978 147 TLSv1.3 New Session Ticket 479 6513.320745684 192.168.0.200 → 192.168.0.113 5432 48978 147 TLSv1.3 New Session Ticket 480 6513.321175713 192.168.0.113 → 192.168.0.200 48978 5432 68 TCP 48978 → 5432 [ACK] Seq=915 Ack=1665 Win=62848 Len=0TSval=3779915421 TSecr=3469016093 481 6513.323161553 192.168.0.200 → 192.168.0.113 5432 48978 518 TLSv1.3 Application Data 482 6513.323626180 192.168.0.113 → 192.168.0.200 48978 5432 125 TLSv1.3 Application Data 483 6513.333977769 192.168.0.200 → 192.168.0.113 5432 48978 273 TLSv1.3 Application Data 484 6513.334581920 192.168.0.113 → 192.168.0.200 48978 5432 95 TLSv1.3 Application Data 485 6513.334666116 192.168.0.113 → 192.168.0.200 48978 5432 92 TLSv1.3 Alert (Level: Warning, Description: Close Notify) Example with postgres: 502 6544.752799560 192.168.0.113 → 192.168.0.200 46300 5432 142 TLSv1.3 Finished 503 6544.752842863 192.168.0.113 → 192.168.0.200 46300 5432 151 PGSQL >? 504 6544.763152222 192.168.0.200 → 192.168.0.113 5432 46300 147 TLSv1.3 New Session Ticket 505 6544.763163155 192.168.0.200 → 192.168.0.113 5432 46300 147 TLSv1.3 New Session Ticket 506 6544.763587595 192.168.0.113 → 192.168.0.200 46300 5432 68 TCP 46300 → 5432 [ACK] Seq=923 Ack=1666 Win=62848 Len=0TSval=3779946864 TSecr=3469047536 507 6544.765024827 192.168.0.200 → 192.168.0.113 5432 46300 518 PGSQL <R/S/S/S/S/S/S/S/S/S/S/S/S/S/S/K/Z 508 6544.766288155 192.168.0.113 → 192.168.0.200 46300 5432 125 PGSQL >Q 509 6544.776974164 192.168.0.200 → 192.168.0.113 5432 46300 273 PGSQL <T/D/D/D/D/D/D/D/D/D/D/C/Z 510 6544.777597927 192.168.0.113 → 192.168.0.200 46300 5432 95 PGSQL >X 511 6544.777631520 192.168.0.113 → 192.168.0.200 46300 5432 92 TLSv1.3 Alert (Level: Warning, Description: Close Notify) Note that in the second one it knows what's inside the "Application Data" messages and decodes them (S: startup, authentication ok, parameters, cancel key, ready for query, C: simple query, S: description, 10 rows, command complete, ready for query). In the GUI you can obviously go into the "postgres messages" in more detail than I know how to do on the console. A second aspect is that I'm not super happy about the hack of stashing data into Port. I think medium term we'd be better off separating out the buffering for unencrypted and encrypted data properly. It turns out that not having any buffering *below* openssl (i.e. the encrypted data) hurts both for the send and receive side, due to a) increased number of syscalls b) too many small packets being sent, as we use TCP_NODELAY c) kernel memory copies being slower due to the small increments. Greetings, Andres Freund
pgsql-hackers by date: