Обсуждение: [MASSMAIL] pgsql: Send ALPN in TLS handshake, require it in direct SSL connections
[MASSMAIL] pgsql: Send ALPN in TLS handshake, require it in direct SSL connections
От
Heikki Linnakangas
Дата:
Send ALPN in TLS handshake, require it in direct SSL connections libpq now always tries to send ALPN. With the traditional negotiated SSL connections, the server accepts the ALPN, and refuses the connection if it's not what we expect, but connecting without ALPN is still OK. With the new direct SSL connections, ALPN is mandatory. NOTE: This uses "TBD-pgsql" as the protocol ID. We must register a proper one with IANA before the release! Author: Greg Stark, Heikki Linnakangas Reviewed-by: Matthias van de Meent, Jacob Champion Branch ------ master Details ------- https://git.postgresql.org/pg/commitdiff/91044ae4baeac2e501e34164a69bd5d9c4976d21 Modified Files -------------- doc/src/sgml/libpq.sgml | 12 +++++ src/backend/libpq/be-secure-openssl.c | 77 ++++++++++++++++++++++++++++++++ src/backend/tcop/backend_startup.c | 8 ++++ src/bin/psql/command.c | 7 ++- src/include/libpq/libpq-be.h | 1 + src/include/libpq/pqcomm.h | 19 ++++++++ src/interfaces/libpq/fe-secure-openssl.c | 35 +++++++++++++++ 7 files changed, 157 insertions(+), 2 deletions(-)
Hi,
On 2024-04-08 01:25:40 +0000, Heikki Linnakangas wrote:
> Send ALPN in TLS handshake, require it in direct SSL connections
>
> libpq now always tries to send ALPN. With the traditional negotiated
> SSL connections, the server accepts the ALPN, and refuses the
> connection if it's not what we expect, but connecting without ALPN is
> still OK. With the new direct SSL connections, ALPN is mandatory.
>
> NOTE: This uses "TBD-pgsql" as the protocol ID. We must register a
> proper one with IANA before the release!
>
> Author: Greg Stark, Heikki Linnakangas
> Reviewed-by: Matthias van de Meent, Jacob Champion
My compiler complains:
[396/992 42 39%] Compiling C object src/backend/postgres_lib.a.p/libpq_be-secure-openssl.c.o
../../../../../home/andres/src/postgresql/src/backend/libpq/be-secure-openssl.c: In function 'alpn_cb':
../../../../../home/andres/src/postgresql/src/backend/libpq/be-secure-openssl.c:1327:69: warning: ordered comparison of
pointerwith integer zero [-Wextra]
1327 | if (*out == NULL || *outlen > sizeof(alpn_protos) || outlen <= 0)
| ^~
[991/992 1 99%] Linking target src/bin/pg_dump/pg_dump
And I think it may show why the warning is a good idea - I assume
"*outlen <= 0" was intended?
Greetings,
Andres Freund
Re: pgsql: Send ALPN in TLS handshake, require it in direct SSL connections
От
Heikki Linnakangas
Дата:
On 08/04/2024 04:50, Andres Freund wrote: > On 2024-04-08 01:25:40 +0000, Heikki Linnakangas wrote: >> Send ALPN in TLS handshake, require it in direct SSL connections >> >> libpq now always tries to send ALPN. With the traditional negotiated >> SSL connections, the server accepts the ALPN, and refuses the >> connection if it's not what we expect, but connecting without ALPN is >> still OK. With the new direct SSL connections, ALPN is mandatory. >> >> NOTE: This uses "TBD-pgsql" as the protocol ID. We must register a >> proper one with IANA before the release! >> >> Author: Greg Stark, Heikki Linnakangas >> Reviewed-by: Matthias van de Meent, Jacob Champion > > My compiler complains: > > [396/992 42 39%] Compiling C object src/backend/postgres_lib.a.p/libpq_be-secure-openssl.c.o > ../../../../../home/andres/src/postgresql/src/backend/libpq/be-secure-openssl.c: In function 'alpn_cb': > ../../../../../home/andres/src/postgresql/src/backend/libpq/be-secure-openssl.c:1327:69: warning: ordered comparison ofpointer with integer zero [-Wextra] > 1327 | if (*out == NULL || *outlen > sizeof(alpn_protos) || outlen <= 0) > | ^~ > [991/992 1 99%] Linking target src/bin/pg_dump/pg_dump > > And I think it may show why the warning is a good idea - I assume > "*outlen <= 0" was intended? Yes. Fixed, thanks! -- Heikki Linnakangas Neon (https://neon.tech)