Thread: Feature Request: Option for TLS no SSLRequest with psql
Could we get a `postgrestls://` or `sslmode=tls` or --tls option that instructs psql to sends straight TLS, skipping the 0000000804d2162f / 0000000804d21630 + N / Y / S handshake?
Rationale:
In the age of TLS, SNI, and ALPN, protocol routing and virtual hosting is easier, more reliable, and less expensive than it's ever been, but having to deal with a bespoke protocol handshake at "the edge" really puts a damper on things:
Currently, every single proxy / TLS tool has to decide whether or not to support Postgres specifically. It's a lot of duplicate work and causes Postgres support to lag until someone who is 1) familiar with the language 2) familiar with the codebase 3) familiar with postgres' SSLRequest 4) and has power to review and accept changes is available (and willing) to help.
(re: https://github.com/mholt/caddy-l4/issues/187, https://github.com/traefik/traefik/issues/9929, https://github.com/envoyproxy/envoy/issues/2861, https://github.com/therootcompany/sclient/issues/5, and many more)
It would be great if the
postgres server also supported receiving straight TLS, but since the reverse proxy / load balancer typically terminates the TLS in these settings, even if it were only available in the client, it would simplify protocol routing greatly.Note: in many instances subdomains are used to specify user/db to route to, so SNI+ALPN alone are enough to complete the routing, but even if the plaintext user/db/app message is being matched on, it's much easier for someone to write a module in any given proxy for that because it fits the same pattern as HTTP Host matching - it doesn't require a handshake on either side of the TLS termination, which is where the complexity comes in.
AJ ONeal
AJ ONeal <coolaj86@proton.me> writes: > Could we get a `postgrestls://` or `sslmode=tls` or --tls option that instructs psql to sends straight TLS, skipping the0000000804d2162f / 0000000804d21630 + N / Y / S handshake? You're too late: https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=d39a49c1e4 (and likewise too late about ALPN). You might however care to weigh in on the ongoing argument about what the libpq connection options controlling this should do (but not on this list): https://www.postgresql.org/message-id/flat/ad45965c-8b95-4bde-bf05-509ab6fccf96%40iki.fi regards, tom lane
On 5/11/24 11:19, AJ ONeal wrote: > Could we get a `postgrestls://` or `sslmode=tls` or --tls option that > instructs psql to sends straight TLS, skipping the 0000000804d2162f / > 0000000804d21630 + N / Y / S handshake? You should probably be following the hackers mailing list. See: https://www.postgresql.org/message-id/flat/CAM-w4HOEAzxyY01ZKOj-iq%3DM4-VDk%3DvzQgUsuqiTFjFDZaebdg%40mail.gmail.com and commits: https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=91044ae4baeac2e501e34164a69bd5d9c4976d21 https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=d39a49c1e459804831302807c724fa6512e90cf0 -- Joe Conway PostgreSQL Contributors Team RDS Open Source Databases Amazon Web Services: https://aws.amazon.com
On 5/11/24 11:59, Joe Conway wrote: > On 5/11/24 11:19, AJ ONeal wrote: >> Could we get a `postgrestls://` or `sslmode=tls` or --tls option that >> instructs psql to sends straight TLS, skipping the 0000000804d2162f / >> 0000000804d21630 + N / Y / S handshake? > > > You should probably be following the hackers mailing list. See: > > https://www.postgresql.org/message-id/flat/CAM-w4HOEAzxyY01ZKOj-iq%3DM4-VDk%3DvzQgUsuqiTFjFDZaebdg%40mail.gmail.com > > and commits: > > https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=91044ae4baeac2e501e34164a69bd5d9c4976d21 > > https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=d39a49c1e459804831302807c724fa6512e90cf0 And as of a few moments ago: https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=407e0b023cdb449dde65fd370c6cc48f5b8a5579 -- Joe Conway PostgreSQL Contributors Team RDS Open Source Databases Amazon Web Services: https://aws.amazon.com