Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Postgres is refusing tls connection from pgagroal #461

Open
ashu3103 opened this issue Sep 10, 2024 · 0 comments
Open

Postgres is refusing tls connection from pgagroal #461

ashu3103 opened this issue Sep 10, 2024 · 0 comments
Labels
bug Something isn't working

Comments

@ashu3103
Copy link
Contributor

Background

Trying to connect to postgres using tls (disabling ssl from client - pgagroal), focusing on tls of pgagroal - postgres.

Setup

pgagroal setup

pgagroal.conf

[pgagroal]
host = localhost
port = 2345

log_type = console
log_level = debug5
log_path = 

max_connections = 100
idle_timeout = 600
validation = off
unix_socket_dir = /tmp/

[primary]
host = localhost
port = 5432
tls = on
tls_ca_file = </path/to/root.crt>

pgagroal_hba.conf

host    all      all   all      all

postgres setup

pg_hba.conf

hostssl all all all md5

All connection must do ssl!

postgresql.conf

...
ssl = on
ssl_cert_file = </path/to/server.cert>
ssl_key_file = </path/to/server.key>
...

Issue

While executing the command PGSSLMODE=disable psql -h localhost -p 2345 -U <username> <databasename>

  • The pgagroal successfully do the SSL handshake.
  • Then pgagroal sends the StartUpMessage to postgres
  • Now in server_passthrough we are passing the authentication request messages between client and postgres.
  • But while exchanging messages in server_passthrough, we are writing and reading from postgres file descriptor with ssl=NULL (which is an issue since our ssl handshake was successfull and all subsequent messages after ssl handshake must be SSL-encrypted)
    Screenshot from 2024-09-11 01-05-33

So, on writing/reading anything from postgres file descriptor, the postgres server terminates/resets connection.
Logs of postgres (after pgagroal read/write to postgres server in server_passthrough)

2024-09-11 00:27:29.702 IST [187451] ashu3103@test LOG:  SSL error: wrong version number
2024-09-11 00:27:29.702 IST [187451] ashu3103@test LOG:  could not receive data from client: Connection reset by peer

The current security.c file (where the )

...
2218: status = pgagroal_write_message(NULL, server_fd, msg);
2219:      if (status != MESSAGE_STATUS_OK)
2220:      {
2221:         goto error;
2222:      }
2223:      pgagroal_free_message(msg);
2224:
2225:      status = pgagroal_read_block_message(NULL, server_fd, &msg);
...

Proposed Solution

  • Pass server ssl context to server_passthrough
  • Pass server_ssl to every single write/read to postgres
...
2218: status = pgagroal_write_message(server_ssl, server_fd, msg);
2219:      if (status != MESSAGE_STATUS_OK)
2220:      {
2221:         goto error;
2222:      }
2223:      pgagroal_free_message(msg);
2224:
2225:      status = pgagroal_read_block_message(server_ssl, server_fd, &msg);
...

@jesperpedersen @fluca1978
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ashu3103