Re: psql v16.3 successfully connects via TLSv1.3 proxy, but psql v16.4 says "tlsv1 alert no application protocol"

> On 25/12/2024 19:05, Markus KARG wrote:
>> I am running the official PostgreSQL 17.2 Docker Container (https:// 
>> hub.docker.com/layers/library/postgres/17.2/images/sha256- 
>> c063081175f45f4a3a5ac03c234e060e67618ebe75b49e2a7ffb79f8357bd1e6) 
>> proxied by a TLSv1.3 proxy (official Traefik 3.2.3 Docker Container 
>> https://hub.docker.com/layers/library/traefik/v3.2.3/images/ 
>> sha256-06966a9ba1747ad724a490b8f27df1434c64e8eee5d681df03c4761c9653f62c). 
>> Traefik utilizes ACME with Let's Encrypt to produce the TLS certificate.
>
> In v17, libpq requests the ALPN extension in the TLS handshake. Looks 
> like the proxy doesn't know about the "postgresql" ALPN protocol, and 
> rejects the connection.
>
> I guess Traefik needs some configuration changes to tell it that the 
> "postgresql" protocol is expected. Or code changes.

Traefik does NOT REJECT the connection (if it would, the error message 
from psql would be different).

Traefik is "postgres-aware" already since 3.0.0, while I am running 3.2.3.

Note that psql v16.3 works fine but psql v16.4 is not, so a change 
introduced by v17 this CANNOT be the cause of the current problem.

>> Using the official PostgresSQL Docker Container (16.3 vs 16.4+), I am 
>> asking psql to connect to my server. While psql 16.3 and earlier 
>> versions successfully connect via the TLS proxy to the PostgreSQL 
>> server, psql 16.4 and later versions fail doing so:
>>
>> root@hetzner-2:~# docker run -it postgres:16.3 psql 
>> "host=headcrashing.eu port=5432 dbname=postgres user=postgres 
>> password=... sslmode=require"
>> psql (16.3 (Debian 16.3-1.pgdg120+1), server 17.2 (Debian 
>> 17.2-1.pgdg120+1))
>> WARNING: psql major version 16, server major version 17.
>>           Some psql features might not work.
>> SSL connection (protocol: TLSv1.3, cipher: TLS_AES_128_GCM_SHA256, 
>> compression: off)
>> Type"help" for help.
>>
>> postgres=# \q
>> root@hetzner-2:~# docker run -it postgres:16.4 psql 
>> "host=headcrashing.eu port=5432 dbname=postgres user=postgres 
>> password=... sslmode=require"
>> psql: error: connection to server at"headcrashing.eu" (49.13.53.107), 
>> port 5432 failed: SSL error: tlsv1 alert no application protocol
>
> There were no changes between 16.3 and 16.4 to explain this. When I 
> test that with v16 client that I built from sources, I don't get that 
> error.
>
> The error message suggests that you're actually using libpq v17. And 
> indeed I get that error when connecting with v17 client. Perhaps the 
> postgres:16.4 docker image was built with v17 libpq?
I am using the original, pre-built container images found on Docker Hub 
and have NOT built them on my own. I am not a PostgresSQL committer 
either. So I cannot answer your question.