Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSLMode=prefer terminates connection with error instead of unsecure connection #1377

Closed
SovakPaleny opened this issue Feb 5, 2021 · 0 comments
Closed

SSLMode=prefer terminates connection with error instead of unsecure connection #1377

SovakPaleny opened this issue Feb 5, 2021 · 0 comments
Assignees
@SovakPaleny
Labels
component/secretless-broker contributor kind/bug

Comments

@SovakPaleny
Copy link
Contributor

Summary

Our applications always use SSLMode=prefer to connect to databases, including unsecured ones. It works well, but not with secretless-broker. SSLMode=prefer should be a safe option for capability autodetection.

Also, SSLMode=require should send the correct message to the client instead of a generic error.

Steps to Reproduce

$ PGSSLMODE=prefer psql -h localhost -p 55432 -U postgres postgres
psql: could not connect to server: Connection refused
        Is the server running on host "localhost" (::1) and accepting
        TCP/IP connections on port 55432?
FATAL:  SSL not supported

$ PGSSLMODE=require psql -h localhost -p 55432 -U postgres postgres
psql: could not connect to server: Connection refused
        Is the server running on host "localhost" (::1) and accepting
        TCP/IP connections on port 55432?
FATAL:  SSL not supported

Expected Results

Secretless broker should correctly signalize unsupported SSL to the client so the client can continue with an unsecured connection if required.

$ PGSSLMODE=prefer psql -h localhost -p 5432 -U postgres postgres
psql (10.15, server 13.1 (Debian 13.1-1.pgdg100+1))
WARNING: psql major version 10, server major version 13.
         Some psql features might not work.
Type "help" for help.

postgres=#

Correct signaling with SSLMode=require

$ PGSSLMODE=require psql -h localhost -p 5432 -U postgres postgres
server does not support SSL, but SSL was required

Actual Results (including error logs, if applicable)

2021/02/05 11:02:37 [DEBUG] pg: New connection on 127.0.0.1:55432.
2021/02/05 11:02:37 [DEBUG] pg: Handling connection 127.0.0.1:59066 -> 127.0.0.1:55432
2021/02/05 11:02:37 [DEBUG] pg: s.Client version: 80877103, (SSL mode: true)
2021/02/05 11:02:37 [ERROR] pg: Failed on handle connection: failed on connect: SSL not supported

Additional Information

This issue blocks us from the next steps in the evaluation process so I prepared a patch that fixes the issue so we can continue.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@SovakPaleny SovakPaleny

Labels
component/secretless-broker contributor kind/bug
Milestone
No milestone
Development

No branches or pull requests
3 participants
@SovakPaleny @doodlesbykumbi @izgeri