Is SSLRequest not supported by Frontend Receive()?

[andheiberg]

Hi 👋,

Sorry if this question has an obvious answer. I have no experience with GO nor the PG wire protocol.

But I've had some trouble running https://github.com/jackc/pgmock/tree/master/pgmockproxy and think I've figured out why.

Behaviour:

$ ./pgproxy -listen 127.0.0.1:5433 -remote 127.0.0.1:5432
F {"Type":"SSLRequest","ProtocolVersion":0,"Parameters":null}
... hangs ...

Debugging:

I found the following in the PG docs:

To initiate an SSL-encrypted connection, the frontend initially sends an SSLRequest message rather than a StartupMessage. The server then responds with a single byte containing S or N, indicating that it is willing or unwilling to perform SSL, respectively.

My understanding of the issue is therefore:

1. Proxy listens for a message to the backend p.backend.ReceiveStartupMessage().
2. Backend gets startup message, determines it's a SSLRequest and forward it to the frontend (PG Server). p.frontend.Send(msg)
3. Proxy listens for a message from the frontend p.frontend.Receive()
4. PG Server sends a 1 byte message S
5. Proxy continues to listen because Receive() calls header, err := f.cr.Next(5) i.e. it waits for 5 bytes to be received and it has only received 1 byte.

Step 5 being the problem.

Questions:

1. Is this library supposed to support SSL connections?
2. If yes, am I correct in my understanding that it's currently broken?
3. if yes, should I try to fix it and send you a PR? Any thoughts on how you would prefer I do this? (can't guarantee I will be successful)

[gitstashpop]

pgproto3 has support for TLS (see ssl_request), but pgmockproxy is not handling the SSLRequest.

Since pgmockproxy is just a simple testing proxy, you could connect with sslmode=disable. If you would like to add TLS support for the proxy, you would need to determine the type of message returned by ReceiveStartupMessage() and handle it appropriately, e.g. returning S or N and setting up a TLS conn. HTH.

[andheiberg]

@yulicrunchy thank you 🙏 in retrospect it's funny this didn't occur to me. Naturally I would have to do TLS termination in the proxy to be able to read the queries the user is sending 🤦

I guess I wonder how I will set up a TLS connection to the remote though because of the f.cr.Next(5) though?

[andy-g]

@andheiberg @gitstashpop I'm needing to connect to a backend server that only supports connections over TLS. Does anyone have an example of how to implement that? Down the line I'd probably like to enable TLS from the proxy, so clients connecting to it can also connect via TLS, but my first concern is being able to connect to a backend postgres instances that enforces TLS. I realise I'm commenting on a really old thread here, but any help pointing me in the right direction would be hugely appreciated.