Re: psql v16.3 successfully connects via TLSv1.3 proxy, but psql v16.4 says "tlsv1 alert no application protocol" - Mailing list pgsql-bugs

From Heikki Linnakangas
Subject Re: psql v16.3 successfully connects via TLSv1.3 proxy, but psql v16.4 says "tlsv1 alert no application protocol"
Date
Msg-id 2bfb5b13-63d7-4bce-96b4-8e075fe7d97a@iki.fi
Whole thread Raw
In response to psql v16.3 successfully connects via TLSv1.3 proxy, but psql v16.4 says "tlsv1 alert no application protocol"  (Markus KARG <markus@headcrashing.eu>)
Responses Re: psql v16.3 successfully connects via TLSv1.3 proxy, but psql v16.4 says "tlsv1 alert no application protocol"
List pgsql-bugs
On 25/12/2024 19:05, Markus KARG wrote:
> I am running the official PostgreSQL 17.2 Docker Container (https:// 
> hub.docker.com/layers/library/postgres/17.2/images/sha256- 
> c063081175f45f4a3a5ac03c234e060e67618ebe75b49e2a7ffb79f8357bd1e6) 
> proxied by a TLSv1.3 proxy (official Traefik 3.2.3 Docker Container 
> https://hub.docker.com/layers/library/traefik/v3.2.3/images/ 
> sha256-06966a9ba1747ad724a490b8f27df1434c64e8eee5d681df03c4761c9653f62c). Traefik utilizes ACME with Let's Encrypt to
producethe TLS certificate.
 

In v17, libpq requests the ALPN extension in the TLS handshake. Looks 
like the proxy doesn't know about the "postgresql" ALPN protocol, and 
rejects the connection.

I guess Traefik needs some configuration changes to tell it that the 
"postgresql" protocol is expected. Or code changes.

> Using the official PostgresSQL Docker Container (16.3 vs 16.4+), I am 
> asking psql to connect to my server. While psql 16.3 and earlier 
> versions successfully connect via the TLS proxy to the PostgreSQL 
> server, psql 16.4 and later versions fail doing so:
> 
> root@hetzner-2:~# docker run -it postgres:16.3 psql "host=headcrashing.eu port=5432 
> dbname=postgres user=postgres password=... sslmode=require"
> psql (16.3 (Debian 16.3-1.pgdg120+1), server 17.2 (Debian 17.2-1.pgdg120+1))
> WARNING: psql major version 16, server major version 17.
>           Some psql features might not work.
> SSL connection (protocol: TLSv1.3, cipher: TLS_AES_128_GCM_SHA256, compression: off)
> Type"help" for help.
> 
> postgres=# \q
> root@hetzner-2:~# docker run -it postgres:16.4 psql "host=headcrashing.eu port=5432 
> dbname=postgres user=postgres password=... sslmode=require"
> psql: error: connection to server at"headcrashing.eu" (49.13.53.107), port 5432 failed: SSL error: tlsv1 alert no
applicationprotocol
 

There were no changes between 16.3 and 16.4 to explain this. When I test 
that with v16 client that I built from sources, I don't get that error.

The error message suggests that you're actually using libpq v17. And 
indeed I get that error when connecting with v17 client. Perhaps the 
postgres:16.4 docker image was built with v17 libpq?

-- 
Heikki Linnakangas
Neon (https://neon.tech)




pgsql-bugs by date:

Previous
From: Markus KARG
Date:
Subject: Re: psql v16.3 successfully connects via TLSv1.3 proxy, but psql v16.4 says "tlsv1 alert no application protocol"
Next
From: Markus KARG
Date:
Subject: Re: psql v16.3 successfully connects via TLSv1.3 proxy, but psql v16.4 says "tlsv1 alert no application protocol"