Re: Introducing SNI in TLS handshake for SSL connections

Поиск
Список
Период
Сортировка
От Pablo Iranzo Gómez
Тема Re: Introducing SNI in TLS handshake for SSL connections
Дата
Msg-id 20181213064321.GM20222@redhat.com
обсуждение исходный текст
Ответ на Re: Introducing SNI in TLS handshake for SSL connections  (Andreas Karlsson <andreas@proxel.se>)
Ответы Re: Introducing SNI in TLS handshake for SSL connections  (Andreas Karlsson <andreas@proxel.se>)
Список pgsql-hackers
Дерево обсуждения 
Hi Andreas

+++ Andreas Karlsson [13/12/18 01:30 +0100]:
>On 12/11/18 3:52 PM, Pablo Iranzo Gómez wrote:
>>I came to this old thread while trying to figure out on how to setup
>>postgres replication behind OpenShift/Kubernetes behind a route
>>(which only forwards 80 or 443 traffic), but could work if SNI is
>>supported on the client using it.
>
>Hm ... while hacking at a patch for this I gave your specific problem
>some more thought.

Thanks for this!

>
>I am not familiar with OpenShift or Kubernetes but I want you to be
>aware of that whatever proxy you are going to use will still need to

haproxy is what is used behind, the idea is that haproxy by default when
enabled via a 'route' does allow http or https protocol ONLY, BUT
(https://docs.openshift.com/container-platform/3.9/architecture/networking/routes.html),
routers do support TLS with SNI.

As PSQL by default tries TLS and fallbacks to plain psql protocol the
idea behind is that we tell OpenShift route to be 'Secure' and
'passtrough', in this way, when PSQL does speak to '443' port in the
route that goes to the 'pod' running postgres using TLS and SNI, the
connection goes thru without any special protocol change.

>be aware of, at least a subset of, the PostgreSQL protocol, since
>similar to SMTP's STARTTLS command the PostgreSQL client will start
>out using the plain text PostgreSQL protocol and then request the
>server to switch over to SSL[1]. So it would be necessary to add
>support for this to whatever proxy you intend to use.
>
>Do you know if adding such custom protocol support is easy to do to
>the proxies you refer to? And do you have any links to documentation
>for these solutions?

I found some diagrams and other links to SSL and HAProxy in:

https://www.haproxy.com/fr/blog/enhanced-ssl-load-balancing-with-server-name-indication-sni-tls-extension/

Probably: https://tools.ietf.org/html/rfc6066#page-6

Let me know if this is not helpful, and thanks again for your time on
this.

Pablo


>
>Notes
>
>1. https://www.postgresql.org/docs/11/protocol-flow.html#id-1.10.5.7.11
>
>Andreas

--

Pablo Iranzo Gómez (Pablo.Iranzo@redhat.com)          GnuPG: 0x5BD8E1E4
Senior Software Engineer - Solutions Engineering           iranzo @ IRC
RHC{A,SS,DS,VA,E,SA,SP,AOSP}, JBCAA        #110-215-852    RHCA Level V

Blog: https://iranzo.github.io                     https://citellus.org
Вложения

В списке pgsql-hackers по дате отправления:

Предыдущее
От: Amit Langote
Дата:
Сообщение: Re: pg_partition_tree crashes for a non-defined relation
Следующее
От: Surafel Temesgen
Дата:
Сообщение: Re: COPY FROM WHEN condition