Re: Direct SSL connection with ALPN and HBA rules - Mailing list pgsql-hackers
From | Jacob Champion |
---|---|
Subject | Re: Direct SSL connection with ALPN and HBA rules |
Date | |
Msg-id | CAOYmi+mTtPidmC-EP_sSjUrmKm1XcyKNVfR2O7re=rmYVUnAFA@mail.gmail.com Whole thread Raw |
In response to | Re: Direct SSL connection with ALPN and HBA rules (Heikki Linnakangas <hlinnaka@iki.fi>) |
List | pgsql-hackers |
[this should probably belong to a different thread, but I'm not sure what to title it] On Mon, May 13, 2024 at 4:08 AM Heikki Linnakangas <hlinnaka@iki.fi> wrote: > I think these options should be designed from the user's point of view, > so that the user can specify the risks they're willing to accept, and > the details of how that's accomplished are handled by libpq. For > example, I'm OK with (tick all that apply): > > [ ] passive eavesdroppers seeing all the traffic > [ ] MITM being able to hijack the session > [ ] connecting without verifying the server's identity > [ ] divulging the plaintext password to the server > [ ] ... I'm pessimistic about a quality-of-protection scheme for this use case (*). I don't think users need more knobs in their connection strings, and many of the goals of transport encryption are really not independent from each other in practice. As evidence I point to the absolute mess of GSSAPI wrapping, which lets you check separate boxes for things like "require the server to authenticate itself" and "require integrity" and "allow MITMs to reorder messages" and so on, as if the whole idea of "integrity" is useful if you don't know who you're talking to in the first place. I think I recall slapd having something similarly arcane (but at least it doesn't make the clients do it!). Those kinds of APIs don't evolve well, in my opinion. I think most people probably just want browser-grade security as quickly and cheaply as possible, and we don't make that very easy today. I'll try to review a QoP scheme if someone works on it, don't get me wrong, but I'd much rather spend time on a "very secure by default" mode that gets rid of most of the options (i.e. a postgresqls:// scheme). (*) I've proposed quality-of-protection in the past, for Postgres proxy authentication [1]. But I'm comfortable in my hypocrisy, because in that case, the end user doing the configuration is a DBA with a config file who is expected to understand the whole system, and it's a niche use case (IMO) without an obvious "common setup". And frankly I think my proposal is unlikely to go anywhere; the cost/benefit probably isn't good enough. > If you need to verify > the server's identity, it implies sslmode=verify-CA or > channel_binding=true. Neither of those two options provides strong authentication of the peer, and personally I wouldn't want them to be considered worthy of "verify the server's identity" mode. And -- taking a wild leap here -- if we disagree, then granularity becomes a problem: either the QoP scheme now has to have sub-checkboxes for "if the server knows my password, that's good enough" and "it's fine if the server's hostname doesn't match the cert, for some reason", or it smashes all of those different ideas into one setting and then I have to settle for the weakest common denominator during an active attack. Assuming I haven't missed a third option, will that be easier/better than the status quo of require_auth+sslmode? > A different line of thought is that to keep the attack surface as smal > as possible, you should specify very explicitly what exactly you expect > to happen in the authentication, and disallow any variance. For example, > you expect SCRAM to be used, with a certificate signed by a particular > CA, and if the server requests anything else, that's suspicious and the > connection is aborted. We should make that possible too That's 'require_auth=scram-sha-256 sslmode=verify-ca', no? --Jacob [1] https://www.postgresql.org/message-id/0768cedb-695a-8841-5f8b-da2aa64c8f3a%40timescale.com
pgsql-hackers by date: