aboutsummaryrefslogtreecommitdiff
path: root/doc/src/sgml/protocol.sgml
diff options
context:
space:
mode:
Diffstat (limited to 'doc/src/sgml/protocol.sgml')
-rw-r--r--doc/src/sgml/protocol.sgml28
1 files changed, 28 insertions, 0 deletions
diff --git a/doc/src/sgml/protocol.sgml b/doc/src/sgml/protocol.sgml
index ec8565298d6..57e5333e388 100644
--- a/doc/src/sgml/protocol.sgml
+++ b/doc/src/sgml/protocol.sgml
@@ -1472,6 +1472,20 @@ SELCT 1/0;<!-- this typo is intentional -->
</para>
<para>
+ When <acronym>SSL</acronym> encryption can be performed, the server
+ is expected to send only the single <literal>S</literal> byte and then
+ wait for the frontend to initiate an <acronym>SSL</acronym> handshake.
+ If additional bytes are available to read at this point, it likely
+ means that a man-in-the-middle is attempting to perform a
+ buffer-stuffing attack
+ (<ulink url="https://www.postgresql.org/support/security/CVE-2021-23222/">CVE-2021-23222</ulink>).
+ Frontends should be coded either to read exactly one byte from the
+ socket before turning the socket over to their SSL library, or to
+ treat it as a protocol violation if they find they have read additional
+ bytes.
+ </para>
+
+ <para>
An initial SSLRequest can also be used in a connection that is being
opened to send a CancelRequest message.
</para>
@@ -1533,6 +1547,20 @@ SELCT 1/0;<!-- this typo is intentional -->
</para>
<para>
+ When <acronym>GSSAPI</acronym> encryption can be performed, the server
+ is expected to send only the single <literal>G</literal> byte and then
+ wait for the frontend to initiate a <acronym>GSSAPI</acronym> handshake.
+ If additional bytes are available to read at this point, it likely
+ means that a man-in-the-middle is attempting to perform a
+ buffer-stuffing attack
+ (<ulink url="https://www.postgresql.org/support/security/CVE-2021-23222/">CVE-2021-23222</ulink>).
+ Frontends should be coded either to read exactly one byte from the
+ socket before turning the socket over to their GSSAPI library, or to
+ treat it as a protocol violation if they find they have read additional
+ bytes.
+ </para>
+
+ <para>
An initial GSSENCRequest can also be used in a connection that is being
opened to send a CancelRequest message.
</para>
generated by cgit v1.2.3 (git 2.25.1) at 2025-05-19 11:14:42 +0000