Participants
Heikki Linnakangas
Heikki Linnakangas
Tom Lane
Tom Lane
Attachments
Show all attachments
Thread Outline
#1Heikki LinnakangasHeikki Linnakangas
Apr 29, 2024
#2Tom LaneTom Laneto Heikki Linnakangas (#1)
Apr 29, 2024
#3Heikki LinnakangasHeikki Linnakangasto Tom Lane (#2)
Apr 30, 2024
#4Tom LaneTom Laneto Heikki Linnakangas (#3)
Apr 30, 2024

pgsql: Reject SSL connection if ALPN is used but there's no common prot

Started by Heikki Linnakangasabout 2 years ago4 messagescomitters
Jump to latest
#1Heikki Linnakangas
Heikki Linnakangas
heikki.linnakangas@enterprisedb.com

Reject SSL connection if ALPN is used but there's no common protocol

If the client supports ALPN but tries to use some other protocol, like
HTTPS, reject the connection in the server. That is surely a confusion
of some sort. Furthermore, the ALPN RFC 7301 says:

In the event that the server supports no protocols that the client
advertises, then the server SHALL respond with a fatal
"no_application_protocol" alert.

This commit makes the server follow that advice.

In the client, specifically check for the OpenSSL error code for the
"no_application_protocol" alert. Otherwise you got a cryptic "SSL
error: SSL error code 167773280" error if you tried to connect to a
non-PostgreSQL server that rejects the connection with
"no_application_protocol". ERR_reason_error_string() returns NULL for
that code, which frankly seems like an OpenSSL bug to me, but we can
easily print a better message ourselves.

Reported-by: Jacob Champion
Discussion: /messages/by-id/6aedcaa5-60f3-49af-a857-2c76ba55a1f3@iki.fi

Branch
------
master

Details
-------
https://git.postgresql.org/pg/commitdiff/17a834a04d5a60aedd6899488a53d939d525fb16

Modified Files
--------------
src/backend/libpq/be-secure-openssl.c | 10 +++++++---
src/interfaces/libpq/fe-secure-openssl.c | 12 ++++++++++++
2 files changed, 19 insertions(+), 3 deletions(-)

#2Tom Lane
Tom Lane
tgl@sss.pgh.pa.us
In reply to: Heikki Linnakangas (#1)
Re: pgsql: Reject SSL connection if ALPN is used but there's no common prot

Heikki Linnakangas <heikki.linnakangas@iki.fi> writes:

Reject SSL connection if ALPN is used but there's no common protocol

A moderately large fraction of the buildfarm doesn't seem to
recognize SSL_AD_NO_APPLICATION_PROTOCOL.

regards, tom lane

#3Heikki Linnakangas
Heikki Linnakangas
heikki.linnakangas@enterprisedb.com
In reply to: Tom Lane (#2)
Re: pgsql: Reject SSL connection if ALPN is used but there's no common prot

On 30/04/2024 02:32, Tom Lane wrote:

Heikki Linnakangas <heikki.linnakangas@iki.fi> writes:

Reject SSL connection if ALPN is used but there's no common protocol

A moderately large fraction of the buildfarm doesn't seem to
recognize SSL_AD_NO_APPLICATION_PROTOCOL.

*sigh*. I checked that it exists on OpenSSL 1.1.1, but according to
buildfarm it's not present on OpenSSL 1.0.2 or LibreSSL. I'll add an
#ifdef guard. OpenSSL 1.0.2 support is about to be removed from master,
and, and we can live with a a poor error message on LibreSSL. It's not
something that users should normally hit.

--
Heikki Linnakangas
Neon (https://neon.tech)

#4Tom Lane
Tom Lane
tgl@sss.pgh.pa.us
In reply to: Heikki Linnakangas (#3)
Re: pgsql: Reject SSL connection if ALPN is used but there's no common prot

Heikki Linnakangas <hlinnaka@iki.fi> writes:

On 30/04/2024 02:32, Tom Lane wrote:

A moderately large fraction of the buildfarm doesn't seem to
recognize SSL_AD_NO_APPLICATION_PROTOCOL.

*sigh*. I checked that it exists on OpenSSL 1.1.1, but according to
buildfarm it's not present on OpenSSL 1.0.2 or LibreSSL. I'll add an
#ifdef guard. OpenSSL 1.0.2 support is about to be removed from master,
and, and we can live with a a poor error message on LibreSSL. It's not
something that users should normally hit.

WFM. Thanks!

regards, tom lane

← Back to Topics