pgagroal icon indicating copy to clipboard operation
pgagroal copied to clipboard

Published 20 hours ago verified publisher icon agroal

Postgres is refusing tls connection from `pgagroal`

Open ashu3103 opened this issue 5 months ago • 0 comments

Background

Trying to connect to postgres using tls (disabling ssl from client - pgagroal), focusing on tls of pgagroal - postgres.

Setup

pgagroal setup

pgagroal.conf

[pgagroal]
host = localhost
port = 2345

log_type = console
log_level = debug5
log_path = 

max_connections = 100
idle_timeout = 600
validation = off
unix_socket_dir = /tmp/

[primary]
host = localhost
port = 5432
tls = on
tls_ca_file = </path/to/root.crt>

pgagroal_hba.conf

host    all      all   all      all

postgres setup

pg_hba.conf

hostssl all all all md5

All connection must do ssl!

postgresql.conf

...
ssl = on
ssl_cert_file = </path/to/server.cert>
ssl_key_file = </path/to/server.key>
...

Issue

While executing the command PGSSLMODE=disable psql -h localhost -p 2345 -U <username> <databasename>

  • The pgagroal successfully do the SSL handshake.
  • Then pgagroal sends the StartUpMessage to postgres
  • Now in server_passthrough we are passing the authentication request messages between client and postgres.
  • But while exchanging messages in server_passthrough, we are writing and reading from postgres file descriptor with ssl=NULL (which is an issue since our ssl handshake was successfull and all subsequent messages after ssl handshake must be SSL-encrypted) Screenshot from 2024-09-11 01-05-33

So, on writing/reading anything from postgres file descriptor, the postgres server terminates/resets connection. Logs of postgres (after pgagroal read/write to postgres server in server_passthrough)

2024-09-11 00:27:29.702 IST [187451] ashu3103@test LOG:  SSL error: wrong version number
2024-09-11 00:27:29.702 IST [187451] ashu3103@test LOG:  could not receive data from client: Connection reset by peer

The current security.c file (where the )

...
2218: status = pgagroal_write_message(NULL, server_fd, msg);
2219:      if (status != MESSAGE_STATUS_OK)
2220:      {
2221:         goto error;
2222:      }
2223:      pgagroal_free_message(msg);
2224:
2225:      status = pgagroal_read_block_message(NULL, server_fd, &msg);
...

Proposed Solution

  • Pass server ssl context to server_passthrough
  • Pass server_ssl to every single write/read to postgres
...
2218: status = pgagroal_write_message(server_ssl, server_fd, msg);
2219:      if (status != MESSAGE_STATUS_OK)
2220:      {
2221:         goto error;
2222:      }
2223:      pgagroal_free_message(msg);
2224:
2225:      status = pgagroal_read_block_message(server_ssl, server_fd, &msg);
...

@jesperpedersen @fluca1978

ashu3103 avatar Sep 10 '24 19:09 ashu3103