[#461] fix ssl connection to postgres in server_passthrough

[ashu3103]

Work In Progress

Tried to resolve the issue #461

@jesperpedersen @fluca1978 PTAL

[jesperpedersen]

I would start with the TLS tutorial - describe a setup where PostgreSQL has a self-signed certificate - and, how to generate that - and pgagroal has a self-signed certificate - and, how to generate it. You could call that section "Transport Security Layer (TLS) only setup".

How does a client get a connection through pgagroal to PostgreSQL when only TLS is enabled the whole way ?

So, c_ssl and s_ssl are very different in each layer, so we need to make sure they are the correct ones

[ashu3103]

I would start with the TLS tutorial - describe a setup where PostgreSQL has a self-signed certificate - and, how to generate that - and pgagroal has a self-signed certificate - and, how to generate it. You could call that section "Transport Security Layer (TLS) only setup".

Okay, I'll add that.

How does a client get a connection through pgagroal to PostgreSQL when only TLS is enabled the whole way ?

The connection that client is not cached its a new connection (unpooled_connection)

So, c_ssl and s_ssl are very different in each layer, so we need to make sure they are the correct ones

Can you please elaborate what does (each layer) exactly represents.

[jesperpedersen]

By layers I mean: Client <-> pgagroal <-> PostgreSQL

The root certificate is different - since it is self-signed - between pgagroal and PostgreSQL.

If there are issues you will find them when you work your way through the new section in the tutorial

[ashu3103]

By layers I mean: Client <-> pgagroal <-> PostgreSQL

The root certificate is different - since it is self-signed - between pgagroal and PostgreSQL.

If there are issues you will find them when you work your way through the new section in the tutorial

Done with the tutorial

Working alright with the current changes when a new connection is created using unpooled_connection.

[jesperpedersen]

tls -> TLS, client->pgagroal -> client to pgagroal, pgagroal->postgres -> pgagroal to PostgreSQL

[jesperpedersen]

we should use scram-sha-256

[ashu3103]

Will do

[jesperpedersen]

md5 -> scram-sha-256

[ashu3103]

The scram-sha-256 is giving channal binding check failed errors because we are switching ssl sessions between actual client and postgres server.

Is there some way to bypass it?

Or we will have to present same certificates on both sides (c_ssl == s_ssl)?

[jesperpedersen]

Can you add the 06, 07 and 08 tutorials to doc/GETTING_STARTED.md ?

[jesperpedersen]

Maybe swap 07 and 08 around

[ashu3103]

Can you add the 06, 07 and 08 tutorials to doc/GETTING_STARTED.md ?

Done!

[ashu3103]

Maybe swap 07 and 08 around

Done!, will commit all the changes all together

[jesperpedersen]

We need to have scram-sha-256 working in order for this feature to get merged.

You can start with the same certificate chain for the entire stack and go from there

[ashu3103]

We need to have scram-sha-256 working in order for this feature to get merged.

You can start with the same certificate chain for the entire stack and go from there

This again is posing some problems as postgres certificate key should be owned by either postgres/root and we can't generalise this for all use cases.

We have to think of some other work around of this

[jesperpedersen]

Yes, the certificates should be owned by the user running PostgreSQL, and the user running pgagroal.

So, we need a setup with a TLS chain that contains the certificates that we need

[ashu3103]

Hi @jesperpedersen @fluca1978

I am using Postgres12 and couldn't find a way to disable channel binding i.e. refrain from using SCRAM-SHA-256-PLUS.
So, I tried to create a custom AuthenticateSASL -

scramMsg->kind = 'R'
scramMsg->length = scramMsgLength + 11;
pgagroal_write_int32(scramMsg->data + 1, scramMsgLength + 10);
pgagroal_write_int32(scramMsg->data + 5, 10);
pgagroal_write_string(scramMsg->data + 9, mechanism);
pgagroal_write_byte(scramMsg->data + scramMsgLength + 9, '\0');
pgagroal_write_byte(scramMsg->data + scramMsgLength + 10, '\0');

The client is still demanding channel binding even through channel_binding=disable flag is enforced in psql

psql: error: FATAL:  SCRAM channel binding negotiation error
DETAIL:  The client supports SCRAM channel binding but thinks the server does not.  However, this server does support channel binding.

Can you suggest some ways to disable SCRAM-SHA-256-PLUS from server side and client side.

[jesperpedersen]

We don't support channel binding - don't know how hard it would be to extend the current implementation.

https://www.postgresql.org/docs/current/sasl-authentication.html
https://datatracker.ietf.org/doc/html/rfc5802#page-14
https://www.postgresql.org/docs/devel/protocol-message-formats.html
AuthenticationSASL (B)

[jesperpedersen]

See 2), and pgmoneta_create_auth_scram256_response() - that should force the non-PLUS version... but apparently the server is trying to upgrade...