Thread: Feature Request: Option for TLS no SSLRequest with psql

Feature Request: Option for TLS no SSLRequest with psql

From
AJ ONeal
Date:
Could we get a `postgrestls://` or `sslmode=tls` or --tls option that instructs psql​ to sends straight TLS, skipping the 0000000804d2162f / 0000000804d21630 + N / Y / S handshake?

Rationale:

In the age of TLS, SNI, and ALPN, protocol routing and virtual hosting is easier, more reliable, and less expensive than it's ever been, but having to deal with a bespoke protocol handshake at "the edge" really puts a damper on things:

Currently, every single proxy / TLS tool has to decide whether or not to support Postgres specifically. It's a lot of duplicate work and causes Postgres support to lag until someone who is 1) familiar with the language 2) familiar with the codebase 3) familiar with postgres' SSLRequest 4) and has power to review and accept changes is available (and willing) to help.


It would be great if the postgres​ server also supported receiving straight TLS, but since the reverse proxy / load balancer typically terminates the TLS in these settings, even if it were only available in the client, it would simplify protocol routing greatly.

Note: in many instances subdomains are used to specify user/db to route to, so SNI+ALPN alone are enough to complete the routing, but even if the plaintext user/db/app message is being matched on, it's much​ easier for someone to write a module in any given proxy for that because it fits the same pattern as HTTP Host matching - it doesn't require a handshake on either side of the TLS termination, which is where the complexity comes in.

AJ ONeal
AJ ONeal <coolaj86@proton.me> writes:
> Could we get a `postgrestls://` or `sslmode=tls` or --tls option that instructs psql​ to sends straight TLS, skipping
the0000000804d2162f / 0000000804d21630 + N / Y / S handshake? 

You're too late:

https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=d39a49c1e4

(and likewise too late about ALPN).

You might however care to weigh in on the ongoing argument about what
the libpq connection options controlling this should do (but not on
this list):

https://www.postgresql.org/message-id/flat/ad45965c-8b95-4bde-bf05-509ab6fccf96%40iki.fi

            regards, tom lane



Re: Feature Request: Option for TLS no SSLRequest with psql

From
Joe Conway
Date:
On 5/11/24 11:19, AJ ONeal wrote:
> Could we get a `postgrestls://` or `sslmode=tls` or --tls option that 
> instructs psql​ to sends straight TLS, skipping the 0000000804d2162f / 
> 0000000804d21630 + N / Y / S handshake?


You should probably be following the hackers mailing list. See:

https://www.postgresql.org/message-id/flat/CAM-w4HOEAzxyY01ZKOj-iq%3DM4-VDk%3DvzQgUsuqiTFjFDZaebdg%40mail.gmail.com

and commits:

https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=91044ae4baeac2e501e34164a69bd5d9c4976d21

https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=d39a49c1e459804831302807c724fa6512e90cf0


-- 
Joe Conway
PostgreSQL Contributors Team
RDS Open Source Databases
Amazon Web Services: https://aws.amazon.com




Re: Feature Request: Option for TLS no SSLRequest with psql

From
Joe Conway
Date:
On 5/11/24 11:59, Joe Conway wrote:
> On 5/11/24 11:19, AJ ONeal wrote:
>> Could we get a `postgrestls://` or `sslmode=tls` or --tls option that 
>> instructs psql​ to sends straight TLS, skipping the 0000000804d2162f / 
>> 0000000804d21630 + N / Y / S handshake?
> 
> 
> You should probably be following the hackers mailing list. See:
> 
> https://www.postgresql.org/message-id/flat/CAM-w4HOEAzxyY01ZKOj-iq%3DM4-VDk%3DvzQgUsuqiTFjFDZaebdg%40mail.gmail.com
> 
> and commits:
> 
> https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=91044ae4baeac2e501e34164a69bd5d9c4976d21
> 
> https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=d39a49c1e459804831302807c724fa6512e90cf0

And as of a few moments ago:

https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=407e0b023cdb449dde65fd370c6cc48f5b8a5579

-- 
Joe Conway
PostgreSQL Contributors Team
RDS Open Source Databases
Amazon Web Services: https://aws.amazon.com