On 11/05/2024 23:45, Jelte Fennema-Nio wrote:
On Fri, 10 May 2024 at 15:50, Heikki Linnakangas <hlinn...@iki.fi> wrote:
New proposal:
- Remove the "try both" mode completely, and rename "requiredirect" to
just "direct". So there would be just two modes: "postgres" and
"direct". On reflection, the automatic fallback mode doesn't seem very
useful. It would make sense as the default, because then you would get
the benefits automatically in most cases but still be compatible with
old servers. But if it's not the default, you have to fiddle with libpq
settings anyway to enable it, and then you might as well use the
"requiredirect" mode when you know the server supports it. There isn't
anything wrong with it as such, but given how much confusion there's
been on how this all works, I'd prefer to cut this back to the bare
minimum now. We can add it back in the future, and perhaps make it the
default at the same time. This addresses points 2. and 3. above.
and:
- Only allow sslnegotiation=direct with sslmode=require or higher. This
is what you, Jacob, wanted to do all along, and addresses point 1.
Thoughts?
Sounds mostly good to me. But I think we'd want to automatically
increase sslmode to require if it is unset, but sslnegotation is set
to direct. Similar to how we bump sslmode to verify-full if
sslrootcert is set to system, but sslmode is unset. i.e. it seems
unnecessary/unwanted to throw an error if the connection string only
contains sslnegotiation=direct
I find that error-prone. For example:
1. Try to connect to a server with direct negotiation: psql "host=foobar
dbname=mydb sslnegotiation=direct"
2. It fails. Maybe it was an old server? Let's change it to
sslnegotiation=postgres.
3. Now it succeeds. Great!
You might miss that by changing sslnegotiation to 'postgres', or by
removing it altogether, you not only made it compatible with older
server versions, but you also allowed falling back to a plaintext
connection. Maybe you're fine with that, but maybe not. I'd like to
nudge people to use sslmode=require, not rely on implicit stuff like
this just to make connection strings a little shorter.
I'm not a fan of sslrootcert=system implying sslmode=verify-full either,
for the same reasons. But at least "sslrootcert" is a clearly
security-related setting, so removing it might give you a pause, whereas
sslnegotition is about performance and compatibility.
In v18, I'd like to make sslmode=require the default. Or maybe introduce
a new setting like "encryption=ssl|gss|none", defaulting to 'ssl'. If we
want to encourage encryption, that's the right way to do it. (I'd still
recommend everyone to use an explicit sslmode=require in their
connection strings for many years, though, because you might be using an
older client without realizing it.)
--
Heikki Linnakangas
Neon (https://neon.tech)
