From 17a834a04d5a60aedd6899488a53d939d525fb16 Mon Sep 17 00:00:00 2001 From: Heikki Linnakangas Date: Mon, 29 Apr 2024 18:12:26 +0300 Subject: Reject SSL connection if ALPN is used but there's no common protocol If the client supports ALPN but tries to use some other protocol, like HTTPS, reject the connection in the server. That is surely a confusion of some sort. Furthermore, the ALPN RFC 7301 says: > In the event that the server supports no protocols that the client > advertises, then the server SHALL respond with a fatal > "no_application_protocol" alert. This commit makes the server follow that advice. In the client, specifically check for the OpenSSL error code for the "no_application_protocol" alert. Otherwise you got a cryptic "SSL error: SSL error code 167773280" error if you tried to connect to a non-PostgreSQL server that rejects the connection with "no_application_protocol". ERR_reason_error_string() returns NULL for that code, which frankly seems like an OpenSSL bug to me, but we can easily print a better message ourselves. Reported-by: Jacob Champion Discussion: https://www.postgresql.org/message-id/6aedcaa5-60f3-49af-a857-2c76ba55a1f3@iki.fi --- src/backend/libpq/be-secure-openssl.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) (limited to 'src/backend/libpq/be-secure-openssl.c') diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index fc46a335394..60cf68aac4a 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -1336,10 +1336,14 @@ alpn_cb(SSL *ssl, if (retval == OPENSSL_NPN_NEGOTIATED) return SSL_TLSEXT_ERR_OK; - else if (retval == OPENSSL_NPN_NO_OVERLAP) - return SSL_TLSEXT_ERR_NOACK; else - return SSL_TLSEXT_ERR_NOACK; + { + /* + * The client doesn't support our protocol. Reject the connection + * with TLS "no_application_protocol" alert, per RFC 7301. + */ + return SSL_TLSEXT_ERR_ALERT_FATAL; + } } -- cgit v1.2.3