Re: Direct SSL connection with ALPN and HBA rules

On Fri, Apr 26, 2024 at 3:51 PM Heikki Linnakangas <hlinnaka@iki.fi> wrote:
> I finally understood what you mean. So if the client supports ALPN, but
> the list of protocols that it provides does not include 'postgresql',
> the server should reject the connection with 'no_applicaton_protocol'
> alert.

Right. (And additionally, we reject clients that don't advertise ALPN
over direct SSL, also during the TLS handshake.)

> The attached patch makes that change. I used the alpn_cb() function in
> openssl's own s_server program as example for that.

This patch as written will apply the new requirement to the old
negotiation style, though, won't it? My test suite sees a bunch of
failures with that.

> Unfortunately the error message you got in the client with that was
> horrible (I modified the server to not accept the 'postgresql' protocol):
>
> psql "dbname=postgres sslmode=require host=localhost"
> psql: error: connection to server at "localhost" (::1), port 5432
> failed: SSL error: SSL error code 167773280

<long sigh>

I filed a bug upstream [1].

Thanks,
--Jacob

[1] https://github.com/openssl/openssl/issues/24300