Обсуждение: Thoughts on a "global" client configuration?
Hi all, I want to move towards a world where we have sslmode=verify-full by default. (And maybe gssencmode=disabled, for that matter.) But changing defaults is risky for established users. I'm exploring the idea of a global configuration for libpq -- /etc/libpqrc, if you will -- that contains all of our connection options and lets people override our decisions. So new users and established users don't have to agree on what's best for their use cases, and we can make improvements without fearing that we've locked some subset of users into their "last version" of Postgres because they can't upgrade. I started on a proof of concept and very quickly hit a fork. Do I 1) introduce a completely new config file, or 2) adapt pg_service.conf to this use case? If you're interested in that proof of concept, I'd like to know which option you'd like to see first. Some thoughts on each are in the appendix below, if you've got time, but a quick straw-poll response is helpful too. Thanks! --Jacob = Appendix: Design Thoughts = I wanted my PoC to show the following: - a two-tier approach, so that administrators can set system-wide defaults in /etc and users can set user-wide overrides for those defaults in their home directory - backwards and forwards compatibility (we don't ever break old libpqs, but new libpqs can add new options safely) That last part is why I initially preferred option (1). I didn't want to have to figure out the cross-compatibility implications of adapting pg_service.conf. I thought we could use installation-specific /etc/postgresql/<version>/libpqrc files and have them be completely separate from the longstanding service concept. Unfortunately that has at least one design mistake, which is that the user-tier config file can't have a version-specific prefix. So I either put the version into the name (gross), or else I have to solve cross-compatibility anyway. If I adapt pg_service.conf, I get the tier system for free. But I would still have to invent some sort of forwards compatibility mechanism, and my ideas so far involve adding non-INI syntax to the beginning of the file, where it would be ignored by existing versions. It puts us closer to ssh_config territory. Not sure how well that would go over; there are other projects parsing this.
On Mon, Oct 6, 2025 at 2:06 PM Jacob Champion <jacob.champion@enterprisedb.com> wrote: > I want to move towards a world where we have sslmode=verify-full by > default. (And maybe gssencmode=disabled, for that matter.) But > changing defaults is risky for established users. > > I'm exploring the idea of a global configuration for libpq -- > /etc/libpqrc, if you will -- that contains all of our connection > options and lets people override our decisions. So new users and > established users don't have to agree on what's best for their use > cases, and we can make improvements without fearing that we've locked > some subset of users into their "last version" of Postgres because > they can't upgrade. I think the down side of this kind of system is that it makes life harder for people who want to write code that works everywhere. You have to take into account the possibility that the configuration file could be overriding the compiled-in defaults and messing up your extension/tool/utility. This is why we tend to want to avoid behavior-changing GUCs on the server side -- anybody who writes an extension now has to be prepared for every possible value of each of those settings, and it's not a lot of fun. Now, all that said, I'm not sure how serious that class of problems is in this case. In the case of a client application, even if it's intended as a general tool that might be used by many people on many systems, in most cases, the author of that tool probably shouldn't have strong opinions about what details ought to be in the connection string vs. what details ought to be taken from a configuration file somewhere. But there are counterexamples, such as our regression tests. It seems like those tests are never likely to be stable under every possible choice of settings that you might put in that file, and eventually somebody who is running a buildfarm machine will end up with a file installed that breaks something, and that will be annoying. Maybe that can be avoided with an opt-out, like ignoresystemdefaults=1 or something, but it's worth noting that our current service-file system avoids this problem by being strictly opt-in, and I kind of wonder if we ought to stick with that. Because the alternative to what you're describing here is to just change the defaults in some new major release, and let the chips fall where they may. People will have to adjust, and one way they might do that is by using a service file to recover the old defaults. Whether that's better or worse than trying to ease the migration with some mechanism like the one you propose here is a judgement call, but I don't think anybody thinks that sslmode=prefer is actually a good default any more. I can imagine votes for disable, verify-full, and maybe require, but prefer seems obviously silly. To be honest, I think part of the problem here has to do with our choice of syntax. For HTTP, you just change the URL from http to https and it's one extra character. Decorating every connection string with sslmode=none (if the default is verify-full and you're running on a trusted network) or sslmode=verify-full (if the default is none and you're not running on a trusted network) feels bad, especially if you have to type those connection strings by hand with any frequency. I can't help wondering how much of the resistance in this area (including mine, FWIW) is subtly influenced by the feeling that it's going to be really annoying when the default isn't what you want in a particular case. But despite that, I still think we should ask ourselves whether it isn't better to endure a hard compatibility break. Maybe it isn't, and a config file as you propose is indeed a better option. But it doesn't solve the problem of deciding what the default ought to be in the absence of a config file, and it does potentially create some new problems. -- Robert Haas EDB: http://www.enterprisedb.com
On 2025-10-08 We 10:39 AM, Robert Haas wrote: > On Mon, Oct 6, 2025 at 2:06 PM Jacob Champion > <jacob.champion@enterprisedb.com> wrote: >> I want to move towards a world where we have sslmode=verify-full by >> default. (And maybe gssencmode=disabled, for that matter.) But >> changing defaults is risky for established users. >> >> I'm exploring the idea of a global configuration for libpq -- >> /etc/libpqrc, if you will -- that contains all of our connection >> options and lets people override our decisions. So new users and >> established users don't have to agree on what's best for their use >> cases, and we can make improvements without fearing that we've locked >> some subset of users into their "last version" of Postgres because >> they can't upgrade. > I think the down side of this kind of system is that it makes life > harder for people who want to write code that works everywhere. You > have to take into account the possibility that the configuration file > could be overriding the compiled-in defaults and messing up your > extension/tool/utility. This is why we tend to want to avoid > behavior-changing GUCs on the server side -- anybody who writes an > extension now has to be prepared for every possible value of each of > those settings, and it's not a lot of fun. > > Now, all that said, I'm not sure how serious that class of problems is > in this case. In the case of a client application, even if it's > intended as a general tool that might be used by many people on many > systems, in most cases, the author of that tool probably shouldn't > have strong opinions about what details ought to be in the connection > string vs. what details ought to be taken from a configuration file > somewhere. But there are counterexamples, such as our regression > tests. It seems like those tests are never likely to be stable under > every possible choice of settings that you might put in that file, and > eventually somebody who is running a buildfarm machine will end up > with a file installed that breaks something, and that will be > annoying. Maybe that can be avoided with an opt-out, like > ignoresystemdefaults=1 or something, but it's worth noting that our > current service-file system avoids this problem by being strictly > opt-in, and I kind of wonder if we ought to stick with that. > > Because the alternative to what you're describing here is to just > change the defaults in some new major release, and let the chips fall > where they may. People will have to adjust, and one way they might do > that is by using a service file to recover the old defaults. Whether > that's better or worse than trying to ease the migration with some > mechanism like the one you propose here is a judgement call, but I > don't think anybody thinks that sslmode=prefer is actually a good > default any more. I can imagine votes for disable, verify-full, and > maybe require, but prefer seems obviously silly. > > To be honest, I think part of the problem here has to do with our > choice of syntax. For HTTP, you just change the URL from http to https > and it's one extra character. Decorating every connection string with > sslmode=none (if the default is verify-full and you're running on a > trusted network) or sslmode=verify-full (if the default is none and > you're not running on a trusted network) feels bad, especially if you > have to type those connection strings by hand with any frequency. I > can't help wondering how much of the resistance in this area > (including mine, FWIW) is subtly influenced by the feeling that it's > going to be really annoying when the default isn't what you want in a > particular case. > > But despite that, I still think we should ask ourselves whether it > isn't better to endure a hard compatibility break. Maybe it isn't, and > a config file as you propose is indeed a better option. But it doesn't > solve the problem of deciding what the default ought to be in the > absence of a config file, and it does potentially create some new > problems. > There's a lot to this POV, and it's made worse by the unattractiveness of both of Jacob's options. If we set the default at verify-full (that would be my vote), someone can undo that for a particular installation by setting PGSSLMODE=prefer globally on their system, without our inventing a new config file / section. cheers andrew -- Andrew Dunstan EDB: https://www.enterprisedb.com
On Wed, Oct 8, 2025 at 7:39 AM Robert Haas <robertmhaas@gmail.com> wrote: > Thanks for the feedback! > I think the down side of this kind of system is that it makes life > harder for people who want to write code that works everywhere. You > have to take into account the possibility that the configuration file > could be overriding the compiled-in defaults and messing up your > extension/tool/utility. There's truth in that, I think, from a support standpoint. It's a knob which can be used to improve or destroy, and we could probably expect to see a transition period where some bug reports are closed with "why did you put that in your configuration?" I need to put more thought into the interaction with existing postgresql:// URIs, as well. > But there are counterexamples, such as our regression > tests. It seems like those tests are never likely to be stable under > every possible choice of settings that you might put in that file, and > eventually somebody who is running a buildfarm machine will end up > with a file installed that breaks something, and that will be > annoying. I think this is already solved. We have PGSYSCONFDIR, which allows tests to pull configuration from the temporary installation directory instead (and makes pg_service.conf relocatable for all of our utilities). Both of my proposed solutions can make use of that. > Maybe that can be avoided with an opt-out, like > ignoresystemdefaults=1 or something An opt-out would be pretty easy to add if needed, and it would align with clients like OpenSSH (`-F none`) and OpenLDAP (`LDAPNOINIT=1`). But I'd want to pin down what the use cases are before adding one. > Because the alternative to what you're describing here is to just > change the defaults in some new major release, and let the chips fall > where they may. People will have to adjust, and one way they might do > that is by using a service file to recover the old defaults. Whether > that's better or worse than trying to ease the migration with some > mechanism like the one you propose here is a judgement call, My vote is "worse", because while everyone seems to agree that `prefer` is bad, no one seems to agree on what the replacement should be. So momentum on the list dies quickly. And it's not just sslmode that's in the crosshairs; even if we somehow got to agreement on a compatibility break there, the exact same discussion is going to happen with the next one. In my opinion, there _is_ no "best for everyone". But we can lower the cost of a "bad" choice (for less common use cases), to make room to adjust defaults and make them "best for new users", or "best for the community", or etc. Distribution packagers could further adjust them to what's best for their communities, too. > To be honest, I think part of the problem here has to do with our > choice of syntax. For HTTP, you just change the URL from http to https > and it's one extra character. I think a syntax discussion focuses too much on sslmode in particular, and not enough on other settings that would also be good to ratchet forward at some point: min_protocol_version, sslnegotiation, ssl_min_protocol_version, sslrootcert, etc. The idea that all of these client configuration options belong inside our resource locators, as opposed to a file on disk somewhere, is... peculiar. It's nice that they _can_ be part of the syntax, I guess, but they shouldn't really _have_ to be. Thanks, --Jacob
On Wed, Oct 8, 2025 at 1:40 PM Andrew Dunstan <andrew@dunslane.net> wrote: > If we set the default at verify-full (that would be my vote), someone > can undo that for a particular installation by setting PGSSLMODE=prefer > globally on their system I don't think we should ever tell users to set PGSSLMODE=prefer. It's really sticky, and you can't know that third-party code won't defer to it instead of overriding it when they see it defined. A quick Github code search turns up a few people doing exactly that. If we make the change at the default level instead, we remain in control of the override priority, so users will be reverting to the previous behavior instead of introducing new untested behavior. --Jacob
On Wed, Oct 8, 2025 at 5:09 PM Jacob Champion <jacob.champion@enterprisedb.com> wrote: > > Because the alternative to what you're describing here is to just > > change the defaults in some new major release, and let the chips fall > > where they may. People will have to adjust, and one way they might do > > that is by using a service file to recover the old defaults. Whether > > that's better or worse than trying to ease the migration with some > > mechanism like the one you propose here is a judgement call, > > My vote is "worse", because while everyone seems to agree that > `prefer` is bad, no one seems to agree on what the replacement should > be. So momentum on the list dies quickly. And it's not just sslmode > that's in the crosshairs; even if we somehow got to agreement on a > compatibility break there, the exact same discussion is going to > happen with the next one. I'm never going to be a fan of the idea of changing libpq defaults with any frequency, no matter what configuration options we have. If we change those defaults with any regularity, I think it will cause a lot of problems for a lot of people. When there's not agreement on what to change, leaving things unchanged is often the best answer, because it at least has the virtue of not causing random breakage. I also think that Andrew raises a good point about the use of environment variables. That seems like it serves much the same purpose as a global configuration file, so I'm not sure we should have both. -- Robert Haas EDB: http://www.enterprisedb.com
On Thu, Oct 9, 2025 at 5:28 AM Robert Haas <robertmhaas@gmail.com> wrote: > I'm never going to be a fan of the idea of changing libpq defaults > with any frequency, no matter what configuration options we have. If > we change those defaults with any regularity, I think it will cause a > lot of problems for a lot of people. Agreed. (My proposal doesn't advocate for "regular" breakage.) > When there's not agreement on > what to change, leaving things unchanged is often the best answer, I think that's how we get into situations like "everyone hates sslmode=require but no one will change it." I'm looking to add a tool to make agreement easier in the first place. (Maybe there's a better tool than a configuration file? But I'd like to see what a file looks like, because I'm not familiar with any other network client that requires you to put every setting into the URI you use to contact the server. If you know of one please tell me so I can study it.) > because it at least has the virtue of not causing random breakage. I > also think that Andrew raises a good point about the use of > environment variables. That seems like it serves much the same purpose > as a global configuration file, so I'm not sure we should have both. I prefer simplicity, too, but environment variables for libpq mean "this is a trusted setting that you should prefer to the default, even if it's worse". That's not a good fit for the security-related settings I'm concerned with changing. --Jacob
On Thu, Oct 9, 2025 at 11:09 AM Jacob Champion <jacob.champion@enterprisedb.com> wrote: > Agreed. (My proposal doesn't advocate for "regular" breakage.) I understand that, but you mentioned a few different settings ... which could hypothetically turn into changing the default for 1 of them every year or two. > > When there's not agreement on > > what to change, leaving things unchanged is often the best answer, > > I think that's how we get into situations like "everyone hates > sslmode=require but no one will change it." I'm looking to add a tool > to make agreement easier in the first place. That's a fair goal, but I'm not sure that I agree that the tool you're proposing actually has that effect. > (Maybe there's a better tool than a configuration file? But I'd like > to see what a file looks like, because I'm not familiar with any other > network client that requires you to put every setting into the URI you > use to contact the server. If you know of one please tell me so I can > study it.) That's a fair complaint, but on the other hand, specifying the use or non-use of TLS in the URI is completely normal. What's abnormal about our system is that (1) we've got all of these extra levels that don't exist for, say, HTTP and (2) our syntax is quite verbose. > I prefer simplicity, too, but environment variables for libpq mean > "this is a trusted setting that you should prefer to the default, even > if it's worse". That's not a good fit for the security-related > settings I'm concerned with changing. Can you expand on this thought? I don't think I understand. What makes the environment variables "trusted values that you should prefer to the default" rather than just "values that we want to use in this context"? -- Robert Haas EDB: http://www.enterprisedb.com
On Thu, Oct 9, 2025 at 9:02 AM Robert Haas <robertmhaas@gmail.com> wrote:
> I understand that, but you mentioned a few different settings ...
> which could hypothetically turn into changing the default for 1 of
> them every year or two.
I think we should avoid equating "we can change it more frequently
than never" with "we will break everyone all the time". A hypothetical
configuration file does not absolve us of our need to choose defaults
wisely and maintain good interoperability for the community.
> > I think that's how we get into situations like "everyone hates
> > sslmode=require but no one will change it." I'm looking to add a tool
> > to make agreement easier in the first place.
>
> That's a fair goal, but I'm not sure that I agree that the tool you're
> proposing actually has that effect.
And that's fair too; I don't expect to drive consensus without a
concrete proposal in hand.
> > (Maybe there's a better tool than a configuration file? But I'd like
> > to see what a file looks like, because I'm not familiar with any other
> > network client that requires you to put every setting into the URI you
> > use to contact the server. If you know of one please tell me so I can
> > study it.)
>
> That's a fair complaint, but on the other hand, specifying the use or
> non-use of TLS in the URI is completely normal. What's abnormal about
> our system is that (1) we've got all of these extra levels that don't
> exist for, say, HTTP and (2) our syntax is quite verbose.
This again tries to collapse the problem down to sslmode. Look at
gssencmode, sslnegotiation, sslrootcert: all things which IMHO do not
belong in the query string of a URI. We've put connection settings and
application settings at the same level, and to me, that's the abnormal
thing about our system. (Similar problem to the _pq_.* protocol option
debates, actually.)
When you tell your browser to adjust the meaning of "HTTPS" -- whether
it's adding a new root cert to the trust store, disallowing TLS 1.1,
etc. -- you generally do that in a different place from the URL bar,
and the "clients" making use of HTTPS URLs do not know about it. Our
relative fragmentation (when compared to the Web) probably puts us
closer to the SSH use case than a browser use case, because we
absolutely need per-host connection settings. But SSH still lets you
ratchet up defaults across all hosts with its ssh_config.
(I'm actually tempted to double down on the SSH comparison and say
that its host-matching configuration model might be an even _better_
fit for us than our opt-in services model. Because it'd allow every
libpq client to delegate the question of "how do I connect to X" to
us, if they wanted, without having to drill a service name through the
stack. I don't know how far I want to go down that path, in the
absence of people asking for it.)
> > I prefer simplicity, too, but environment variables for libpq mean
> > "this is a trusted setting that you should prefer to the default, even
> > if it's worse". That's not a good fit for the security-related
> > settings I'm concerned with changing.
>
> Can you expand on this thought? I don't think I understand. What makes
> the environment variables "trusted values that you should prefer to
> the default" rather than just "values that we want to use in this
> context"?
Sure: In the context of this thread, I want the configuration file to
be able to act as a pressure release valve for admins who absolutely
cannot follow us forward into verify-full by default, by allowing them
to return to the previous behavior. But setting a new environment
variable isn't guaranteed to return to the previous behavior, because
it's reasonable for applications to defer to trusted envvars if
they're set. (Think `${PGSSLMODE:-verify-full}`.)
In the case of PGSSLMODE=prefer, I think that's especially dangerous:
it will always _look_ like things have returned to the previous state,
because everything will still be requesting SSL, but you may have
actively downgraded the security of the application.
The worst-case persona, in my mind, is a new sysadmin who's panicking
because of a libpq5 upgrade in production on Debian, say maybe through
an indirect package dependency, and something has started failing that
wasn't caught in testing. Downgrading means losing whatever package
brought in the dependency, and they're definitely not equipped to
audit all their code to make sure that PGSSLMODE=prefer isn't going to
do something horrible. I want to give that sysadmin a safe way out.
--Jacob
On Thu, Oct 9, 2025 at 4:21 PM Jacob Champion
<jacob.champion@enterprisedb.com> wrote:
> This again tries to collapse the problem down to sslmode. Look at
> gssencmode, sslnegotiation, sslrootcert: all things which IMHO do not
> belong in the query string of a URI. We've put connection settings and
> application settings at the same level, and to me, that's the abnormal
> thing about our system. (Similar problem to the _pq_.* protocol option
> debates, actually.)
That's a really interesting observation. I've always found it a bit
odd that we put things like sslca and sslrootcert into the connection
string, so I think you have a point, here. Not sure I agree about
sslnegotiation or gssencmode, though -- those seem more like sslmode,
which I would argue does belong in the connection string.
> Sure: In the context of this thread, I want the configuration file to
> be able to act as a pressure release valve for admins who absolutely
> cannot follow us forward into verify-full by default, by allowing them
> to return to the previous behavior. But setting a new environment
> variable isn't guaranteed to return to the previous behavior, because
> it's reasonable for applications to defer to trusted envvars if
> they're set. (Think `${PGSSLMODE:-verify-full}`.)
I think this is aiming at quite a narrow target.
> The worst-case persona, in my mind, is a new sysadmin who's panicking
> because of a libpq5 upgrade in production on Debian, say maybe through
> an indirect package dependency, and something has started failing that
> wasn't caught in testing. Downgrading means losing whatever package
> brought in the dependency, and they're definitely not equipped to
> audit all their code to make sure that PGSSLMODE=prefer isn't going to
> do something horrible. I want to give that sysadmin a safe way out.
I would argue that this is a sign that calling every version libpq5 no
matter how much we've changed the behavior is completely insane. This
scenario gets a whole lot better if installing a new release of
PostgreSQL that behaves differently doesn't magically change the
behavior of any existing releases that are already installed.
At the risk of repeating myself, I also think that we need to consider
the flip side of this scenario: some system administrator who thinks
they know better throws something into a system-wide configuration
file and breaks things for, say, PostgreSQL developers running the
regression tests, or applications running on the machine that assume a
certain system-wide configuration that in reality need not prevail
everywhere. I sometimes worry too much about non-problems at times,
and this might be one of those times, so it would be good to hear from
more people, but I think we need to be convinced not only that this
proposal has enough upside to be worth pursuing but also that the
downsides won't be too painful.
--
Robert Haas
EDB: http://www.enterprisedb.com
On Fri, Oct 10, 2025 at 6:24 AM Robert Haas <robertmhaas@gmail.com> wrote:
> That's a really interesting observation. I've always found it a bit
> odd that we put things like sslca and sslrootcert into the connection
> string, so I think you have a point, here. Not sure I agree about
> sslnegotiation or gssencmode, though -- those seem more like sslmode,
> which I would argue does belong in the connection string.
I could see gssencmode=require as a separate scheme. I still object to
its being a query string parameter; I don't think our current
acceptance of "gssencmode=require sslmode=require" is a particularly
good thing.
Putting sslnegotiation at the same level, though, feels like the
ancient distinction between "sldap" (STARTTLS) and "ldaps" (implicit
TLS), which IMO was a confusing historical mistake. And HTTP's version
of sslmode=prefer (opportunistic encryption, a dead experiment) was
still part of the `http:` scheme. Clients didn't opt into that via
URL; they configured it out of band.
> > Sure: In the context of this thread, I want the configuration file to
> > be able to act as a pressure release valve for admins who absolutely
> > cannot follow us forward into verify-full by default, by allowing them
> > to return to the previous behavior. But setting a new environment
> > variable isn't guaranteed to return to the previous behavior, because
> > it's reasonable for applications to defer to trusted envvars if
> > they're set. (Think `${PGSSLMODE:-verify-full}`.)
>
> I think this is aiming at quite a narrow target.
I agree. But it does exist in the wild [1], and sslmode is one of our
most important security settings. So I'm pretty worried about
unilaterally switching to a stronger default, without giving people a
tool to navigate it, if that would actually result in much weaker
security for some percentage of users.
> > The worst-case persona, in my mind, is a new sysadmin who's panicking
> > because of a libpq5 upgrade in production on Debian, say maybe through
> > an indirect package dependency, and something has started failing that
> > wasn't caught in testing. Downgrading means losing whatever package
> > brought in the dependency, and they're definitely not equipped to
> > audit all their code to make sure that PGSSLMODE=prefer isn't going to
> > do something horrible. I want to give that sysadmin a safe way out.
>
> I would argue that this is a sign that calling every version libpq5 no
> matter how much we've changed the behavior is completely insane.
I think SONAME is the wrong hammer to reach for. Network compatibility
is more subtle than link-time ABI. But this has come up before, so I
want to explore it a bit. My guesses:
If we were to update to libpq.so.6 because of this -- without any
actual ABI changes -- then many people downstream aren't going to know
that they're opting into the new behavior anyway. For a true opt-in,
we'd need to actively break people at build time (libpq6.so.0?). Then
those people downstream will want to ask what amazing changes they've
gotten in exchange for this ecosystem fracture, and I suspect they'd
be less than impressed if we said "it makes sslmode stronger by
default".
Our maintainers will probably be less than impressed as well, now that
they get to keep two separate side-by-side binaries that are 99.999%
identical. (And I think there are dependency diamond problems, unless
we version all our symbols, but I haven't paid attention to modern
practices there.)
Maybe the least impressed will be any middleware maintainers who get
their connection strings from a layer above them. We're asking them to
opt into the new behavior at build time, but they can't know whether
it's safe, either. For them, it's _still_ a user-level decision; all
we've done is kicked the can, and nothing has actually improved.
All this to say, I think libpq6 should happen because of an ABI change
relevant to the code that links against us, not because of a user
compatibility change.
> This
> scenario gets a whole lot better if installing a new release of
> PostgreSQL that behaves differently doesn't magically change the
> behavior of any existing releases that are already installed.
We could probably do that if we really wanted, without breaking
SONAME. Our server already has its extensions tell it what version
they were compiled against, and our client could similarly use macro
tricks. Or symbol versioning.
But, as above, I still don't think that an opt-in at build time can
fix the general problem. It only delays the pain until the next time a
dependent package is built.
> At the risk of repeating myself, I also think that we need to consider
> the flip side of this scenario: some system administrator who thinks
> they know better throws something into a system-wide configuration
> file and breaks things for, say, PostgreSQL developers running the
> regression tests
(this is solved, though)
> or applications running on the machine that assume a
> certain system-wide configuration that in reality need not prevail
> everywhere.
I agree we need to consider this scenario; I'm just finding it hard to
treat it as anything other than "don't do that then, highly-privileged
system administrator!" I assume we would tell them the same thing
today if they exported PGSERVICE globally and broke applications that
relied on environment variables.
> I sometimes worry too much about non-problems at times,
> and this might be one of those times, so it would be good to hear from
> more people, but I think we need to be convinced not only that this
> proposal has enough upside to be worth pursuing but also that the
> downsides won't be too painful.
Agreed.
Thanks,
--Jacob
[1] https://github.com/search?q=%22PGSSLMODE%3A-require%22&type=code
On Mon, Oct 13, 2025 at 3:57 PM Jacob Champion <jacob.champion@enterprisedb.com> wrote: > Putting sslnegotiation at the same level, though, feels like the > ancient distinction between "sldap" (STARTTLS) and "ldaps" (implicit > TLS), which IMO was a confusing historical mistake. And HTTP's version > of sslmode=prefer (opportunistic encryption, a dead experiment) was > still part of the `http:` scheme. Clients didn't opt into that via > URL; they configured it out of band. The distinction in my mind is that sslmode, gssencmode, and sslnegotiation define what we're doing on the wire, whereas parameters like sslcert just define where local resources are to be found. Granted, that influences what we're doing on the wire in a different way, but you can move the file and update the value of sslcert and get the same results, because the connection fundamentally doesn't care where its local files are found, whereas flipping sslnegotiation or sslmode is a fundamental alteration to what the connection tries to do. How do you see it? > > I think this is aiming at quite a narrow target. > > I agree. But it does exist in the wild [1], and sslmode is one of our > most important security settings. So I'm pretty worried about > unilaterally switching to a stronger default, without giving people a > tool to navigate it, if that would actually result in much weaker > security for some percentage of users. I'm unconvinced that this is worth worrying about. I am a little surprised to see the number of hits that your search found, but I think people will (and should) update their code. > > I would argue that this is a sign that calling every version libpq5 no > > matter how much we've changed the behavior is completely insane. > > I think SONAME is the wrong hammer to reach for. Network compatibility > is more subtle than link-time ABI. But this has come up before, so I > want to explore it a bit. My guesses: > > If we were to update to libpq.so.6 because of this -- without any > actual ABI changes -- then many people downstream aren't going to know > that they're opting into the new behavior anyway. For a true opt-in, > we'd need to actively break people at build time (libpq6.so.0?). Then > those people downstream will want to ask what amazing changes they've > gotten in exchange for this ecosystem fracture, and I suspect they'd > be less than impressed if we said "it makes sslmode stronger by > default". My theory is that they'll be even less impressed if they try to use a supposedly-compatible library and it breaks a bunch of stuff, but I wonder what Christoph Berg (cc'd) thinks. -- Robert Haas EDB: http://www.enterprisedb.com
Re: Robert Haas > My theory is that they'll be even less impressed if they try to use a > supposedly-compatible library and it breaks a bunch of stuff, but I > wonder what Christoph Berg (cc'd) thinks. It would also hinder adoption of PG in more places. There are currently thousands of software products that link to libpq in some form, and it would take several years to have them all fixed if ABI/API compatibility were broken. Chasing the long tail there is hard; we get to witness that every year with upstreams that aren't compatible with PG18 yet. For some extensions, I'm still waiting to get my PG17 (or PG16!) patches merged. Christoph
On Mon, Oct 13, 2025 at 4:22 PM Christoph Berg <myon@debian.org> wrote: > Re: Robert Haas > > My theory is that they'll be even less impressed if they try to use a > > supposedly-compatible library and it breaks a bunch of stuff, but I > > wonder what Christoph Berg (cc'd) thinks. > > It would also hinder adoption of PG in more places. There are > currently thousands of software products that link to libpq in some > form, and it would take several years to have them all fixed if > ABI/API compatibility were broken. Chasing the long tail there is > hard; we get to witness that every year with upstreams that aren't > compatible with PG18 yet. For some extensions, I'm still waiting to > get my PG17 (or PG16!) patches merged. So you support calling it libpq.so.5 forever, no matter how much we change? -- Robert Haas EDB: http://www.enterprisedb.com
Re: Robert Haas > So you support calling it libpq.so.5 forever, no matter how much we change? I would say SONAME/ABI/API breakages are not a tool to promote better SSL settings. If we want to move to sslmode=verify-full by default, we should just do that. I don't see why adding extra ABI/API pain would make that transition any better for users. We can move to libpq6 if there are technical reasons, but the general pain will be long-lasting until the whole world has caught up. (Debian etc can switch pretty easily, but there's a gazillion of third-party things.) Christoph
On Mon, Oct 13, 2025 at 4:30 PM Christoph Berg <myon@debian.org> wrote: > Re: Robert Haas > > So you support calling it libpq.so.5 forever, no matter how much we change? > > I would say SONAME/ABI/API breakages are not a tool to promote better > SSL settings. If we want to move to sslmode=verify-full by default, we > should just do that. I don't see why adding extra ABI/API pain would > make that transition any better for users. > > We can move to libpq6 if there are technical reasons, but the general > pain will be long-lasting until the whole world has caught up. (Debian > etc can switch pretty easily, but there's a gazillion of third-party > things.) OK, good to know. I somehow can't get over how crazy it seems to hadcode the version to 5 forever, but, eh, [ old man yells at cloud emoji here ]. -- Robert Haas EDB: http://www.enterprisedb.com
On Mon, Oct 13, 2025 at 1:15 PM Robert Haas <robertmhaas@gmail.com> wrote: > The distinction in my mind is that sslmode, gssencmode, and > sslnegotiation define what we're doing on the wire, whereas parameters > like sslcert just define where local resources are to be found. > Granted, that influences what we're doing on the wire in a different > way, but you can move the file and update the value of sslcert and get > the same results, because the connection fundamentally doesn't care > where its local files are found, whereas flipping sslnegotiation or > sslmode is a fundamental alteration to what the connection tries to > do. How do you see it? I agree with your bucketing of wire-vs-non-wire parameters, but to me, that's not really the dividing line for what belongs in an "ideal" connection string. It's just an indication that something is off -- that there is no dividing line right now, and that's strange. I've been trying to frame this in terms of our URI structure, mostly because it highlights how odd our setup is. It's true that you don't type your client certificate path into your browser's location bar (it's not on the wire), but it's also true that you don't put the minimum TLS version there, or the OCSP fallback behavior (both on the wire). The latter two are still out-of-band decisions, separate from the name of the resource itself, even though they directly affect whether a browser can connect at all to certain hosts. That goes back to what I was saying earlier about ssh_config, and how its style might have been a better match for some of our use cases. Host matching lets the user say "oh yeah, that server is weird, connect this way" without forcing every application that uses SSH to understand that information. > I'm unconvinced that this is worth worrying about. I am a little > surprised to see the number of hits that your search found, but I > think people will (and should) update their code. I think one of the fundamental issues with sslmode=prefer is that the affected people are unlikely to notice they should update their code. SSL will continue to be used. Nothing will break, but active attacks will be silently enabled. And if someone affected by this comes to a list to report and/or complain, I think they're likely to be greeted by a chorus of "why would an informed sysadmin ever define PGSSLMODE=prefer? so insecure, PEBKAC, skill issue". I get that I'm coming at this from the paranoid-security-person side of things, but I feel like the ecosystem effects of officially recommending a bad PGSSLMODE as a compatibility hack are not being given the same scrutiny as the ecosystem effects of adding a configuration file. > My theory is that they'll be even less impressed if they try to use a > supposedly-compatible library and it breaks a bunch of stuff I agree with that, but also that's why I started this thread. I think both options (keeping sslmode=prefer by default, and unilaterally changing to something stronger) are untenable, and I'm trying to cut the knot. Some library I was looking at recently (can't remember which, or I'd link it) had an interesting approach to compatibility breaks. It 1) warned about the break in version X, if you relied on the behavior, 2) broke behavior by default in version X+1, but gave you the option to return to the prior functionality for a single release, and then 3) removed the deprecated behavior in version X+2. I don't think that exact plan would work for us, but if our back branches had client config files, you might imagine a world where we backported warnings for really important changes. "You're relying on default behavior that is about to change in PG30, and you need to explicitly opt into the old behavior now if you don't want to break when you upgrade." (Proof-of-concept on the way soon.) Thanks, --Jacob