Re: Direct SSL connection with ALPN and HBA rules

On Thu, Apr 25, 2024 at 5:50 PM Heikki Linnakangas <hlinnaka(at)iki(dot)fi> wrote:
> On 25/04/2024 21:13, Jacob Champion wrote:
> > On Thu, Apr 25, 2024 at 10:35 AM Robert Haas <robertmhaas(at)gmail(dot)com> wrote:
> >> Maybe I'm missing something here, but why doesn't sslnegotiation
> >> override sslmode completely? Or alternatively, why not remove
> >> sslnegotiation entirely and just have more sslmode values? I mean
> >> maybe this shouldn't happen categorically, but if I say I want to
> >> require a direct SSL connection, to me that implies that I don't want
> >> an indirect SSL connection, and I really don't want a non-SSL
> >> connection.
>
> My thinking with sslnegotiation is that it controls how SSL is
> negotiated with the server, if SSL is to be used at all. It does not
> control whether SSL is used or required; that's what sslmode is for.

I think this might boil down to the order in which someone thinks that
different settings should be applied. It sounds like your mental model
is that GSS settings are applied first, and then SSL settings are
applied afterwards, and then within the SSL bucket you can select how
you want to do SSL (direct or negotiated) and how required it is. My
mental model is different: I imagine that since direct SSL happens
from the first byte exchanged over the socket, direct SSL "happens
first", making settings that pertain to negotiated GSS and negotiated
SSL irrelevant. Because, logically, if you've decided to use direct
SSL, you're not even going to get a chance to negotiate those things.
I understand that the code as written works around that, by being able
to open a new connection if it turns out that we need to negotiate
that stuff after all, but IMHO that's rather confusing.

--
Robert Haas
EDB: http://www.enterprisedb.com