Postgres Pro
Downloads
Home   >   mailing lists

Re: psql v16.3 successfully connects via TLSv1.3 proxy, but psql v16.4 says "tlsv1 alert no application protocol" - Mailing list pgsql-bugs

From Markus KARG
Subject Re: psql v16.3 successfully connects via TLSv1.3 proxy, but psql v16.4 says "tlsv1 alert no application protocol"
Date
Msg-id 5fc24305-136e-4a6e-993e-b10dc2300403@headcrashing.eu
Whole thread Raw
In response to Re: psql v16.3 successfully connects via TLSv1.3 proxy, but psql v16.4 says "tlsv1 alert no application protocol"  (Tom Lane <tgl@sss.pgh.pa.us>)
List pgsql-bugs
Tree view 
Markus KARG <markus@headcrashing.eu> writes:

Following this theory, sslnegotiation=postgres used with psql v17.x 
should solve the problem, as it falls back to the same mechanism 
supported in v16.3, correct?

No, sorry, it looks like we insert the ALPN extension into the SSL
request packet regardless of that.  Maybe there should have been
a way to suppress that, but v17 libpq doesn't provide one.

Thank you, Tom, you saved my day! I have explicitly added the name `postgresql` to the ALPN configuration on Traefik, and immediately psql v16.4+ (including psql v17) worked like a charm!

As a reference for others, in `traefik-dynamic.yaml` add the follwing to make it work (as long as you patch the `default` TLS options, take care to keep all those protocols contained; alternative path a per-router tls config instead to ONLY have postgresql in that list):

    ## Dynamic configuration
    tls:
      options:
        default:
          alpnProtocols:
            - acme-tls/1
            - http/1.1
            - h2
            - postgresql

Regarding your question: I have tried "sslnegotiation=postgres" and 
"ssqlnegotiation=direct" with the original official PostgreSQL Docker 
Container found on Docker Hub.

Let's clarify something here: there is nothing "official" about either
that docker container or anything else you might find on DockerHub.
The Postgres community does not produce any such packaging.  You'd
have to discussion the inclusion of v17 libpq with whoever did build
that container.  I know that Debian thinks it's a good idea to use
latest libpq with older servers, and this builder might be following
their lead.  (The timing would be about right, since v17.0 came out
about the same time as 16.4.)  This example does show that there
are pitfalls in that policy.

Thanks a lot for this really essential information! In fact, the authors of that official docker image (they really call it that way) call themselves "The PostgreSQL Docker Community". This is totally misleading, as one understands that to be "The Docker Community withing the PostgreSQL Community", which it (apparently) is not. Instead, it seems that it actually is "The PostgreSQL Community at Docker, Inc.", people totally unrelated to the "real" PostgreSQL Community!

Thanks a lot, Tom, for your kind help. You provided the best Christmas present this year! :-)


		
	


	

					

					





	

	pgsql-bugs by date:
	
	

	
	

		
			

	        	

	       			Previous
	    		

	    		
	From:
	Tom Lane

	Date:
	



	Subject:
	Re: psql v16.3 successfully connects via TLSv1.3 proxy, but psql v16.4 says "tlsv1 alert no application protocol"
 

	    	

	    
	    
	    
			

	        	

	       			Next
	    		

	    		
	From:
	yrshen@stu.xidian.edu.cn

	Date:
	



	Subject:
	Re: Re: Re: BUG #18750: Inappropriate update when it is blocked in RC