-
Notifications
You must be signed in to change notification settings - Fork 61
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[#461] fix ssl connection to postgres in server_passthrough #462
Conversation
I would start with the TLS tutorial - describe a setup where PostgreSQL has a self-signed certificate - and, how to generate that - and pgagroal has a self-signed certificate - and, how to generate it. You could call that section "Transport Security Layer (TLS) only setup". How does a client get a connection through pgagroal to PostgreSQL when only TLS is enabled the whole way ? So, |
Okay, I'll add that.
The connection that client is not cached its a new connection (unpooled_connection)
Can you please elaborate what does ( |
By layers I mean: Client <-> pgagroal <-> PostgreSQL The root certificate is different - since it is self-signed - between pgagroal and PostgreSQL. If there are issues you will find them when you work your way through the new section in the tutorial |
Done with the tutorial Working alright with the current changes when a new connection is created using |
|
||
## Setup | ||
|
||
To enforce tls along the whole path, we first need to create X509 certicates for client->pgagroal and pgagroal->postgres seperately. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
tls -> TLS, client->pgagroal -> client to pgagroal, pgagroal->postgres -> pgagroal to PostgreSQL
and make the contents of `pg_hba.conf` - | ||
|
||
``` | ||
hostssl all all all md5 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we should use scram-sha-256
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will do
hostssl all all all md5 | ||
``` | ||
|
||
here we are choosing md5 for authenticating the requested user and database against postgres catalog |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
md5 -> scram-sha-256
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The scram-sha-256 is giving channal binding check failed
errors because we are switching ssl sessions between actual client and postgres server.
Is there some way to bypass it?
Or we will have to present same certificates on both sides (c_ssl == s_ssl
)?
Can you add the 06, 07 and 08 tutorials to doc/GETTING_STARTED.md ? |
Maybe swap 07 and 08 around |
Done! |
Done!, will commit all the changes all together |
We need to have You can start with the same certificate chain for the entire stack and go from there |
This again is posing some problems as We have to think of some other work around of this |
Yes, the certificates should be owned by the user running PostgreSQL, and the user running pgagroal. So, we need a setup with a TLS chain that contains the certificates that we need |
I am using Postgres12 and couldn't find a way to disable channel binding i.e. refrain from using SCRAM-SHA-256-PLUS.
The client is still demanding channel binding even through
Can you suggest some ways to disable SCRAM-SHA-256-PLUS from server side and client side. |
We don't support channel binding - don't know how hard it would be to extend the current implementation. https://www.postgresql.org/docs/current/sasl-authentication.html |
See 2), and pgmoneta_create_auth_scram256_response() - that should force the non-PLUS version... but apparently the server is trying to upgrade... |
Work In Progress
Tried to resolve the issue #461
@jesperpedersen @fluca1978 PTAL