Re: Direct SSL connection with ALPN and HBA rules

On 11/05/2024 23:45, Jelte Fennema-Nio wrote:
> On Fri, 10 May 2024 at 15:50, Heikki Linnakangas <hlinnaka@iki.fi> wrote:
>> New proposal:
>>
>> - Remove the "try both" mode completely, and rename "requiredirect" to
>> just "direct". So there would be just two modes: "postgres" and
>> "direct". On reflection, the automatic fallback mode doesn't seem very
>> useful. It would make sense as the default, because then you would get
>> the benefits automatically in most cases but still be compatible with
>> old servers. But if it's not the default, you have to fiddle with libpq
>> settings anyway to enable it, and then you might as well use the
>> "requiredirect" mode when you know the server supports it. There isn't
>> anything wrong with it as such, but given how much confusion there's
>> been on how this all works, I'd prefer to cut this back to the bare
>> minimum now. We can add it back in the future, and perhaps make it the
>> default at the same time. This addresses points 2. and 3. above.
>>
>> and:
>>
>> - Only allow sslnegotiation=direct with sslmode=require or higher. This
>> is what you, Jacob, wanted to do all along, and addresses point 1.
>>
>> Thoughts?
> 
> Sounds mostly good to me. But I think we'd want to automatically
> increase sslmode to require if it is unset, but sslnegotation is set
> to direct. Similar to how we bump sslmode to verify-full if
> sslrootcert is set to system, but sslmode is unset. i.e. it seems
> unnecessary/unwanted to throw an error if the connection string only
> contains sslnegotiation=direct

I find that error-prone. For example:

1. Try to connect to a server with direct negotiation: psql "host=foobar 
dbname=mydb sslnegotiation=direct"

2. It fails. Maybe it was an old server? Let's change it to 
sslnegotiation=postgres.

3. Now it succeeds. Great!

You might miss that by changing sslnegotiation to 'postgres', or by 
removing it altogether, you not only made it compatible with older 
server versions, but you also allowed falling back to a plaintext 
connection. Maybe you're fine with that, but maybe not. I'd like to 
nudge people to use sslmode=require, not rely on implicit stuff like 
this just to make connection strings a little shorter.

I'm not a fan of sslrootcert=system implying sslmode=verify-full either, 
for the same reasons. But at least "sslrootcert" is a clearly 
security-related setting, so removing it might give you a pause, whereas 
sslnegotition is about performance and compatibility.

In v18, I'd like to make sslmode=require the default. Or maybe introduce 
a new setting like "encryption=ssl|gss|none", defaulting to 'ssl'. If we 
want to encourage encryption, that's the right way to do it. (I'd still 
recommend everyone to use an explicit sslmode=require in their 
connection strings for many years, though, because you might be using an 
older client without realizing it.)

-- 
Heikki Linnakangas
Neon (https://neon.tech)