search

neondatabase / neon

Neon: Serverless Postgres. We separated storage and compute to offer autoscaling, code-like database branching, and scale to zero.
https://neon.tech
Apache License 2.0
14.48k stars 420 forks source link

Feature: Direct SSL negotiation support #7809

Closed hlinnaka closed 3 weeks ago

hlinnaka commented 4 months ago

PostgreSQL 17 supports "direct SSL connections". That means, you can start the TLS handshake immediately after opening the TCP connection, without the traditional SSLRequest negotiation. That eliminates one round-trip from establishing a connection. libpq in v17 has new option sslnegotiation=direct, to use the new mode.

Let's add support for that to the proxy. There are two parts to this:

  1. Accept "direct SSL" connections from clients.

    Because our proxy parses and handles the authentication, we can accept direct SSL connections regardless of the Postgres server version that you're ultimately connecting to.

  2. Use the new direct SSL connections when connecting to a v17 server. We don't have v17 computes yet, so this will need to wait until we do.

hlinnaka commented 4 months ago

The direct SSL protocol is described in https://www.postgresql.org/docs/devel/protocol-flow.html#PROTOCOL-FLOW-SSL

hlinnaka commented 4 months ago

Once you start to look this, I'd like get feedback on the relevant PostgreSQL documentation. Is it clear from the docs how it works? Anything missing that should be mentioned?

conradludgate commented 4 months ago

@hlinnaka when is postgres 17 due to release?

hlinnaka commented 4 months ago

@hlinnaka when is postgres 17 due to release?

Around September 2024

hlinnaka commented 4 months ago

The GA 17.0 release is around September 2024, but v17 beta1 will released in the next few days. There's no rush, but it would be nice to have this some time before the GA release.