Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Skip to content

Commit 17a834a

Browse files
hlinnakahlinnaka
committed
Reject SSL connection if ALPN is used but there's no common protocol
If the client supports ALPN but tries to use some other protocol, like HTTPS, reject the connection in the server. That is surely a confusion of some sort. Furthermore, the ALPN RFC 7301 says: > In the event that the server supports no protocols that the client > advertises, then the server SHALL respond with a fatal > "no_application_protocol" alert. This commit makes the server follow that advice. In the client, specifically check for the OpenSSL error code for the "no_application_protocol" alert. Otherwise you got a cryptic "SSL error: SSL error code 167773280" error if you tried to connect to a non-PostgreSQL server that rejects the connection with "no_application_protocol". ERR_reason_error_string() returns NULL for that code, which frankly seems like an OpenSSL bug to me, but we can easily print a better message ourselves. Reported-by: Jacob Champion Discussion: https://www.postgresql.org/message-id/6aedcaa5-60f3-49af-a857-2c76ba55a1f3@iki.fi
1 parent 03a0e0d commit 17a834a

File tree

2 files changed

+19
-3
lines changed

2 files changed

+19
-3
lines changed

src/backend/libpq/be-secure-openssl.c

Lines changed: 7 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1336,10 +1336,14 @@ alpn_cb(SSL *ssl,
13361336

13371337
if (retval == OPENSSL_NPN_NEGOTIATED)
13381338
return SSL_TLSEXT_ERR_OK;
1339-
else if (retval == OPENSSL_NPN_NO_OVERLAP)
1340-
return SSL_TLSEXT_ERR_NOACK;
13411339
else
1342-
return SSL_TLSEXT_ERR_NOACK;
1340+
{
1341+
/*
1342+
* The client doesn't support our protocol. Reject the connection
1343+
* with TLS "no_application_protocol" alert, per RFC 7301.
1344+
*/
1345+
return SSL_TLSEXT_ERR_ALERT_FATAL;
1346+
}
13431347
}
13441348

13451349

src/interfaces/libpq/fe-secure-openssl.c

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1741,6 +1741,18 @@ SSLerrmessage(unsigned long ecode)
17411741
return errbuf;
17421742
}
17431743

1744+
if (ERR_GET_LIB(ecode) == ERR_LIB_SSL &&
1745+
ERR_GET_REASON(ecode) == SSL_AD_REASON_OFFSET + SSL_AD_NO_APPLICATION_PROTOCOL)
1746+
{
1747+
/*
1748+
* Server aborted the connection with TLS "no_application_protocol"
1749+
* alert. The ERR_reason_error_string() function doesn't give any
1750+
* error string for that for some reason, so do it ourselves.
1751+
*/
1752+
snprintf(errbuf, SSL_ERR_LEN, libpq_gettext("no application protocol"));
1753+
return errbuf;
1754+
}
1755+
17441756
/*
17451757
* In OpenSSL 3.0.0 and later, ERR_reason_error_string randomly refuses to
17461758
* map system errno values. We can cover that shortcoming with this bit

0 commit comments

Comments
 (0)