Hey Heikki,
thanks for providing feedback :)
The traffic between proxy and psql-server is unencrypted thats why I
don't need to patch the server.
I tried returning a fixed response on the first plain SSLRequest
forwarding it to a psql-server with ssl enabled an tried to switch then
on the ssl connection startup but that didn't work out. I guess its
because the psql-server won't accept an ssl connection if its not
requested via SSLRequest.
I would definitly appreciate if the psql-server could accept the
TLS-client hello directly but we would still need to set the
tls-sni-extension correctly.
Perhaps we could rename the parameter to "sslplainrequest(yes/no)" and
start with making the plain SSLRequest optional in the psql-server.
Best Regards
Lukas
Am 11-Dec-20 um 14:26 schrieb Heikki Linnakangas:
On 10/12/2020 17:49, Lukas Meisegeier wrote:
I try to host multiple postgresql-servers on the same ip and the same
port through SNI-based load-balancing.
Currently this is not possible because of two issues:
1. The psql client won't set the tls-sni-extension correctly
(https://www.postgresql.org/message-id/20181211145240.GL20222%40redhat.com)
2. The psql connection protocol implements a SSLRequest in plain text
before actually opening a connection.
The first issue is easily solvable by calling
`SSL_set_tlsext_host_name(conn->ssl,
conn->connhost[conn->whichhost].host)` before opening the connection.
The second issue is also solvable through a new parameter
"ssltermination" which if set to "proxy" will skip the initial
SSLRequest and connects directly through ssl.
The default value would be "server" which changes nothing on the
existing behaviour.
Don't you need backend changes as well? The backend will still expect
the client to send an SSLRequest. Or is the connection from the proxy to
the actual server unencrypted?
It's not very nice that the client needs to set special options,
depending on whether the server is behind a proxy or not. Could you
teach the proxy to deal with the SSLRequest message?
Perhaps we should teach the backend to accept a TLS ClientHello
directly, without the SSLRequest message. That way, the client could
send the ClientHello without SSLRequest, and the proxy wouldn't need to
care about SSLRequest. It would also eliminate one round-trip from the
protocol handshake, which would be nice. A long deprecation/transition
period would be needed before we could make that the default behavior,
but that's ok.
- Heikki
