On 11/12/2020 16:46, Lukas Meisegeier wrote:
> Hey Heikki,
>
> thanks for providing feedback :)
> The traffic between proxy and psql-server is unencrypted thats why I
> don't need to patch the server.
Ok.
> I tried returning a fixed response on the first plain SSLRequest
> forwarding it to a psql-server with ssl enabled an tried to switch then
> on the ssl connection startup but that didn't work out. I guess its
> because the psql-server won't accept an ssl connection if its not
> requested via SSLRequest.
Your proxy could receive the client's SSLRequest message, and respond
with a single byte 'S'. You don't need to forward that to the real
PostgreSQL server, since the connection to the PostgreSQL server is
unencrypted. Then perform the TLS handshake, and forward all traffic to
the real server only after that.
Client: -> SSLRequest
Proxy: <- 'S'
Client: -> TLS ClientHello
Proxy: [finish TLS handshake]
- Heikki