| From: | Markus KARG <markus(at)headcrashing(dot)eu> |
|---|---|
| To: | Heikki Linnakangas <hlinnaka(at)iki(dot)fi>, pgsql-bugs(at)lists(dot)postgresql(dot)org |
| Subject: | Re: psql v16.3 successfully connects via TLSv1.3 proxy, but psql v16.4 says "tlsv1 alert no application protocol" |
| Date: | 2024-12-25 18:22:19 |
| Message-ID: | 8a8cba41-fa82-492b-8500-a7538e5d5cf7@headcrashing.eu |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
> On 25/12/2024 19:05, Markus KARG wrote:
>> I am running the official PostgreSQL 17.2 Docker Container (https://
>> hub.docker.com/layers/library/postgres/17.2/images/sha256-
>> c063081175f45f4a3a5ac03c234e060e67618ebe75b49e2a7ffb79f8357bd1e6)
>> proxied by a TLSv1.3 proxy (official Traefik 3.2.3 Docker Container
>> https://hub.docker.com/layers/library/traefik/v3.2.3/images/
>> sha256-06966a9ba1747ad724a490b8f27df1434c64e8eee5d681df03c4761c9653f62c).
>> Traefik utilizes ACME with Let's Encrypt to produce the TLS certificate.
>
> In v17, libpq requests the ALPN extension in the TLS handshake. Looks
> like the proxy doesn't know about the "postgresql" ALPN protocol, and
> rejects the connection.
>
> I guess Traefik needs some configuration changes to tell it that the
> "postgresql" protocol is expected. Or code changes.
Traefik does NOT REJECT the connection (if it would, the error message
from psql would be different).
Traefik is "postgres-aware" already since 3.0.0, while I am running 3.2.3.
Note that psql v16.3 works fine but psql v16.4 is not, so a change
introduced by v17 this CANNOT be the cause of the current problem.
>> Using the official PostgresSQL Docker Container (16.3 vs 16.4+), I am
>> asking psql to connect to my server. While psql 16.3 and earlier
>> versions successfully connect via the TLS proxy to the PostgreSQL
>> server, psql 16.4 and later versions fail doing so:
>>
>> root(at)hetzner-2:~# docker run -it postgres:16.3 psql
>> "host=headcrashing.eu port=5432 dbname=postgres user=postgres
>> password=... sslmode=require"
>> psql (16.3 (Debian 16.3-1.pgdg120+1), server 17.2 (Debian
>> 17.2-1.pgdg120+1))
>> WARNING: psql major version 16, server major version 17.
>> Some psql features might not work.
>> SSL connection (protocol: TLSv1.3, cipher: TLS_AES_128_GCM_SHA256,
>> compression: off)
>> Type"help" for help.
>>
>> postgres=# \q
>> root(at)hetzner-2:~# docker run -it postgres:16.4 psql
>> "host=headcrashing.eu port=5432 dbname=postgres user=postgres
>> password=... sslmode=require"
>> psql: error: connection to server at"headcrashing.eu" (49.13.53.107),
>> port 5432 failed: SSL error: tlsv1 alert no application protocol
>
> There were no changes between 16.3 and 16.4 to explain this. When I
> test that with v16 client that I built from sources, I don't get that
> error.
>
> The error message suggests that you're actually using libpq v17. And
> indeed I get that error when connecting with v17 client. Perhaps the
> postgres:16.4 docker image was built with v17 libpq?
I am using the original, pre-built container images found on Docker Hub
and have NOT built them on my own. I am not a PostgresSQL committer
either. So I cannot answer your question.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Markus KARG | 2024-12-25 18:52:30 | Re: psql v16.3 successfully connects via TLSv1.3 proxy, but psql v16.4 says "tlsv1 alert no application protocol" |
| Previous Message | Heikki Linnakangas | 2024-12-25 17:52:55 | Re: psql v16.3 successfully connects via TLSv1.3 proxy, but psql v16.4 says "tlsv1 alert no application protocol" |