NotificationsYou must be signed in to change notification settings
Fork6
Star31

Commit17a834a

committed

Reject SSL connection if ALPN is used but there's no common protocol

If the client supports ALPN but tries to use some other protocol, likeHTTPS, reject the connection in the server. That is surely a confusionof some sort. Furthermore, the ALPN RFC 7301 says:> In the event that the server supports no protocols that the client> advertises, then the server SHALL respond with a fatal> "no_application_protocol" alert.This commit makes the server follow that advice.In the client, specifically check for the OpenSSL error code for the"no_application_protocol" alert. Otherwise you got a cryptic "SSLerror: SSL error code 167773280" error if you tried to connect to anon-PostgreSQL server that rejects the connection with"no_application_protocol". ERR_reason_error_string() returns NULL forthat code, which frankly seems like an OpenSSL bug to me, but we caneasily print a better message ourselves.Reported-by: Jacob ChampionDiscussion:https://www.postgresql.org/message-id/6aedcaa5-60f3-49af-a857-2c76ba55a1f3@iki.fi

1 parent03a0e0d commit17a834aCopy full SHA for 17a834a

File tree

2 files changed

+19

-3

lines changed

src
- backend/libpq
  - be-secure-openssl.c
- interfaces/libpq
  - fe-secure-openssl.c

2 files changed

+19

-3

lines changed

`‎src/backend/libpq/be-secure-openssl.c`

Lines changed: 7 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -1336,10 +1336,14 @@ alpn_cb(SSL *ssl,`
`1336`	`1336`
`1337`	`1337`	`if (retval==OPENSSL_NPN_NEGOTIATED)`
`1338`	`1338`	`returnSSL_TLSEXT_ERR_OK;`
`1339`		`-elseif (retval==OPENSSL_NPN_NO_OVERLAP)`
`1340`		`-returnSSL_TLSEXT_ERR_NOACK;`
`1341`	`1339`	`else`
`1342`		`-returnSSL_TLSEXT_ERR_NOACK;`
	`1340`	`+{`
	`1341`	`+/*`
	`1342`	`+ * The client doesn't support our protocol. Reject the connection`
	`1343`	`+ * with TLS "no_application_protocol" alert, per RFC 7301.`
	`1344`	`+ */`
	`1345`	`+returnSSL_TLSEXT_ERR_ALERT_FATAL;`
	`1346`	`+}`
`1343`	`1347`	`}`
`1344`	`1348`
`1345`	`1349`

`‎src/interfaces/libpq/fe-secure-openssl.c`

Lines changed: 12 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -1741,6 +1741,18 @@ SSLerrmessage(unsigned long ecode)`
`1741`	`1741`	`returnerrbuf;`
`1742`	`1742`	`}`
`1743`	`1743`
	`1744`	`+if (ERR_GET_LIB(ecode)==ERR_LIB_SSL&&`
	`1745`	`+ERR_GET_REASON(ecode)==SSL_AD_REASON_OFFSET+SSL_AD_NO_APPLICATION_PROTOCOL)`
	`1746`	`+{`
	`1747`	`+/*`
	`1748`	`+ * Server aborted the connection with TLS "no_application_protocol"`
	`1749`	`+ * alert. The ERR_reason_error_string() function doesn't give any`
	`1750`	`+ * error string for that for some reason, so do it ourselves.`
	`1751`	`+ */`
	`1752`	`+snprintf(errbuf,SSL_ERR_LEN,libpq_gettext("no application protocol"));`
	`1753`	`+returnerrbuf;`
	`1754`	`+}`
	`1755`	`+`
`1744`	`1756`	`/*`
`1745`	`1757`	`* In OpenSSL 3.0.0 and later, ERR_reason_error_string randomly refuses to`
`1746`	`1758`	`* map system errno values. We can cover that shortcoming with this bit`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit17a834a

File tree

2 files changed

2 files changed

`‎src/backend/libpq/be-secure-openssl.c`

`‎src/interfaces/libpq/fe-secure-openssl.c`

0 commit comments