Re: Direct SSL connection and ALPN loose ends - Mailing list pgsql-hackers

From Heikki Linnakangas
Subject Re: Direct SSL connection and ALPN loose ends
Date
Msg-id 83e8fb18-269f-4458-861a-8816256a1247@iki.fi
Whole thread Raw
In response to re: Direct SSL connection and ALPN loose ends  (Ranier Vilela <ranier.vf@gmail.com>)
Responses Re: Direct SSL connection and ALPN loose ends
List pgsql-hackers
On 29/04/2024 20:10, Ranier Vilela wrote:
> Hi,
> 
> With TLS 1.3 and others there is possibly a security flaw using ALPN [1].
> 
> It seems to me that the ALPN protocol can be bypassed if the client does 
> not correctly inform the ClientHello header.
> 
> So, the suggestion is to check the ClientHello header in the server and
> terminate the TLS handshake early.

Sounds to me like it's working as designed. ALPN in general is optional; 
if the client doesn't request it, then you proceed without it. We do 
require ALPN for direct SSL connections though. We can, because direct 
SSL connections is a new feature in Postgres. But we cannot require it 
for the connections negotiated with SSLRequest, or we break 
compatibility with old clients that don't use ALPN.

There is a check in direct SSL mode that ALPN was used 
(ProcessSSLStartup in backend_startup.c):

>         if (!port->alpn_used)
>         {
>                 ereport(COMMERROR,
>                                 (errcode(ERRCODE_PROTOCOL_VIOLATION),
>                                  errmsg("received direct SSL connection request without ALPN protocol negotiation
extension")));
>                 goto reject;
>         }

That happens immediately after the SSL connection has been established.

Hmm. I guess it would be better to abort the connection earlier, without 
completing the TLS handshake. Otherwise the client might send the first 
message in wrong protocol to the PostgreSQL server. That's not a 
security issue for the PostgreSQL server: the server disconnects without 
reading the message. And I don't see any way for an ALPACA attack when 
the server ignores the client's message. Nevertheless, from the point of 
view of keeping the attack surface as small as possible, aborting 
earlier seems better.

-- 
Heikki Linnakangas
Neon (https://neon.tech)




pgsql-hackers by date:

Previous
From: Tom Lane
Date:
Subject: Re: CVE's addressed in next update
Next
From: Alexander Lakhin
Date:
Subject: Re: Add SPLIT PARTITION/MERGE PARTITIONS commands