Direct SSL connection with ALPN and HBA rules - Mailing list pgsql-hackers

From Michael Paquier
Subject Direct SSL connection with ALPN and HBA rules
Date
Msg-id ZiH7vHwEJeRKHlST@paquier.xyz
Whole thread Raw
Responses Re: Direct SSL connection with ALPN and HBA rules
List pgsql-hackers
Hi all,
(Heikki in CC.)

Since 91044ae4baea (require ALPN for direct SSL connections) and
d39a49c1e459 (direct hanshake), direct SSL connections are supported
(yeah!), still the thread where this has been discussed does not cover
the potential impact on HBA rules:
https://www.postgresql.org/message-id/CAM-w4HOEAzxyY01ZKOj-iq%3DM4-VDk%3DvzQgUsuqiTFjFDZaebdg%40mail.gmail.com

My point is, would there be a point in being able to enforce that ALPN
is used from the server rather than just relying on the client-side
sslnegotiation to decide if direct SSL connections should be forced or
not?

Hence, I'd imagine that we could have an HBA option for hostssl rules,
like a negotiation={direct,postgres,all} that cross-checks
Port->alpn_used with the option value in a hostssl entry, rejecting
the use of connections using direct connections or the default
protocol if these are not used, giving users a way to avoid one.  As
this is a new thing, there may be an argument in this option for
security reasons, as well, so as it would be possible for operators to
turn that off in the server.

Thoughts or comments?
--
Michael

Attachment

pgsql-hackers by date:

Previous
From: Thomas Munro
Date:
Subject: Re: cfbot is failing all tests on FreeBSD/Meson builds
Next
From: Bertrand Drouvot
Date:
Subject: Re: promotion related handling in pg_sync_replication_slots()