Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Is SSLRequest not supported by Frontend Receive()? #15

Open
andheiberg opened this issue May 14, 2021 · 3 comments
Open

Is SSLRequest not supported by Frontend Receive()? #15

andheiberg opened this issue May 14, 2021 · 3 comments

Comments

@andheiberg
Copy link

andheiberg commented May 14, 2021
edited
Loading

Hi 👋,

Sorry if this question has an obvious answer. I have no experience with GO nor the PG wire protocol.

But I've had some trouble running https://github.com/jackc/pgmock/tree/master/pgmockproxy and think I've figured out why.

Behaviour:

$ ./pgproxy -listen 127.0.0.1:5433 -remote 127.0.0.1:5432
F {"Type":"SSLRequest","ProtocolVersion":0,"Parameters":null}
... hangs ...

Debugging:

I found the following in the PG docs:

To initiate an SSL-encrypted connection, the frontend initially sends an SSLRequest message rather than a StartupMessage. The server then responds with a single byte containing S or N, indicating that it is willing or unwilling to perform SSL, respectively.

My understanding of the issue is therefore:

  1. Proxy listens for a message to the backend p.backend.ReceiveStartupMessage().
  2. Backend gets startup message, determines it's a SSLRequest and forward it to the frontend (PG Server). p.frontend.Send(msg)
  3. Proxy listens for a message from the frontend p.frontend.Receive()
  4. PG Server sends a 1 byte message S
  5. Proxy continues to listen because Receive() calls header, err := f.cr.Next(5) i.e. it waits for 5 bytes to be received and it has only received 1 byte.

Step 5 being the problem.

Questions:

  1. Is this library supposed to support SSL connections?
  2. If yes, am I correct in my understanding that it's currently broken?
  3. if yes, should I try to fix it and send you a PR? Any thoughts on how you would prefer I do this? (can't guarantee I will be successful)
@andheiberg andheiberg mentioned this issue May 14, 2021
Closed
@gitstashpop
Copy link
Contributor

gitstashpop commented May 14, 2021
edited
Loading

pgproto3 has support for TLS (see ssl_request), but pgmockproxy is not handling the SSLRequest.

Since pgmockproxy is just a simple testing proxy, you could connect with sslmode=disable. If you would like to add TLS support for the proxy, you would need to determine the type of message returned by ReceiveStartupMessage() and handle it appropriately, e.g. returning S or N and setting up a TLS conn. HTH.

@andheiberg
Copy link
Author

@yulicrunchy thank you 🙏 in retrospect it's funny this didn't occur to me. Naturally I would have to do TLS termination in the proxy to be able to read the queries the user is sending 🤦

I guess I wonder how I will set up a TLS connection to the remote though because of the f.cr.Next(5) though?

@andy-g
Copy link

andy-g commented Jul 9, 2024

@andheiberg @gitstashpop I'm needing to connect to a backend server that only supports connections over TLS. Does anyone have an example of how to implement that? Down the line I'd probably like to enable TLS from the proxy, so clients connecting to it can also connect via TLS, but my first concern is being able to connect to a backend postgres instances that enforces TLS. I realise I'm commenting on a really old thread here, but any help pointing me in the right direction would be hugely appreciated.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@andy-g @andheiberg @gitstashpop