agroal
[#461] fix ssl connection to postgres in server_passthrough
Ideally I would like to see the information inside
doc/tutorial/06_tls.md
doc/manual/advanced/08-tls.md
if you can find some way to "combine" it. Or we need it after the TLS chapter - therefore moving the vault chapter
@Userfrom1995 hey,
In this PR one of our primary aim was to enable or more precisely fix the scram-sha-256 capabilities (can extend it to scram-sha-256-plus later on). The main issue I was facing is that while parsing AuthenticationSASL message from the server side, it includes the scram-sha-256-plus in the list which is not supported by pgagroal currently which was giving channel bonding errors at the client side. I will draft a more formal description of the issue and how I tried encountering it later (still finding my documented work 😓).
Till then you can go through security.c file and the SASL Authentication and the corresponding message exchanges. Also you can follow the tutorial/06_tls.md tutorial in the changed files (remember to replace md5 with scram-sha-256 in the pg_hba file) you will see the issue.
Edit: You can add this work and probably scram-sha-256-plus support as a part of your Security Enhancement milestones too.
Thanks
@Userfrom1995 Don't worry about the SCRAM-SHA-XYZ-PLUS and associated UTF-8 work right now (https://datatracker.ietf.org/doc/html/rfc7677 - https://github.com/agroal/pgagroal/issues/52, https://github.com/agroal/pgagroal/issues/51)
Hey @ashu3103 ,
Thanks for the heads-up and the detailed context — really helpful! I’ll go through security.c , try to reproduce the error, and see how best to address it.
Regarding the idea of adding support for scram-sha-256-plus, I agree — it’s a great addition and fits well within my security enhancement milestones. I’ll make sure to include it in the plan.
Appreciate your input!