Обсуждение: pgsql: Reject SSL connection if ALPN is used but there's no common prot
Reject SSL connection if ALPN is used but there's no common protocol If the client supports ALPN but tries to use some other protocol, like HTTPS, reject the connection in the server. That is surely a confusion of some sort. Furthermore, the ALPN RFC 7301 says: > In the event that the server supports no protocols that the client > advertises, then the server SHALL respond with a fatal > "no_application_protocol" alert. This commit makes the server follow that advice. In the client, specifically check for the OpenSSL error code for the "no_application_protocol" alert. Otherwise you got a cryptic "SSL error: SSL error code 167773280" error if you tried to connect to a non-PostgreSQL server that rejects the connection with "no_application_protocol". ERR_reason_error_string() returns NULL for that code, which frankly seems like an OpenSSL bug to me, but we can easily print a better message ourselves. Reported-by: Jacob Champion Discussion: https://www.postgresql.org/message-id/6aedcaa5-60f3-49af-a857-2c76ba55a1f3@iki.fi Branch ------ master Details ------- https://git.postgresql.org/pg/commitdiff/17a834a04d5a60aedd6899488a53d939d525fb16 Modified Files -------------- src/backend/libpq/be-secure-openssl.c | 10 +++++++--- src/interfaces/libpq/fe-secure-openssl.c | 12 ++++++++++++ 2 files changed, 19 insertions(+), 3 deletions(-)
Heikki Linnakangas <heikki.linnakangas@iki.fi> writes:
> Reject SSL connection if ALPN is used but there's no common protocol
A moderately large fraction of the buildfarm doesn't seem to
recognize SSL_AD_NO_APPLICATION_PROTOCOL.
regards, tom lane
Re: pgsql: Reject SSL connection if ALPN is used but there's no common prot
От
Heikki Linnakangas
Дата:
On 30/04/2024 02:32, Tom Lane wrote: > Heikki Linnakangas <heikki.linnakangas@iki.fi> writes: >> Reject SSL connection if ALPN is used but there's no common protocol > > A moderately large fraction of the buildfarm doesn't seem to > recognize SSL_AD_NO_APPLICATION_PROTOCOL. *sigh*. I checked that it exists on OpenSSL 1.1.1, but according to buildfarm it's not present on OpenSSL 1.0.2 or LibreSSL. I'll add an #ifdef guard. OpenSSL 1.0.2 support is about to be removed from master, and, and we can live with a a poor error message on LibreSSL. It's not something that users should normally hit. -- Heikki Linnakangas Neon (https://neon.tech)
Heikki Linnakangas <hlinnaka@iki.fi> writes:
> On 30/04/2024 02:32, Tom Lane wrote:
>> A moderately large fraction of the buildfarm doesn't seem to
>> recognize SSL_AD_NO_APPLICATION_PROTOCOL.
> *sigh*. I checked that it exists on OpenSSL 1.1.1, but according to
> buildfarm it's not present on OpenSSL 1.0.2 or LibreSSL. I'll add an
> #ifdef guard. OpenSSL 1.0.2 support is about to be removed from master,
> and, and we can live with a a poor error message on LibreSSL. It's not
> something that users should normally hit.
WFM. Thanks!
regards, tom lane