Error in ReceiveStartupMessage during SSL handshake

Question

Error in ReceiveStartupMessage during SSL handshake

ThadeuFMelo opened this issue 5 months ago · comments

I'm building a query interface compatible with PostgreSQL and for now the connection works only for a simple cli psql.

Now I'm testing the connection with Datagrip and other IDEs and be compatible with PowerBI and Metabase connectors.

I'm encountering an error when trying to receive a startup message in my Go application using the ReceiveStartupMessage method from my backend package. The error message is 'invalid length of startup packet: 369296125'.

`func (p *PgBackend) handleSSLRequest(sslRequest pgproto3.SSLRequest) (int, error) {
conn := p.conn

sslRequest.Frontend()

//Send SSL response
//SSL Response: Willing to perform SSL ('S')
_, err := conn.Write([]byte("S"))
if err != nil {
	return 0, err
}

return 1, nil

}`

After return 'S', I get in Wireshark a TLS "Hello Client" message from Datagrip

Transport Layer Security
    TLSv1.2 Record Layer: Handshake Protocol: Client Hello
        Content Type: Handshake (22)
        Version: TLS 1.2 (0x0303)
        Length: 459
        Handshake Protocol: Client Hello
            Handshake Type: Client Hello (1)
            Length: 455
            Version: TLS 1.2 (0x0303)
            Random: 8332ce2ecb4a640f9d193a260c0cabd221cf84cad619e2a6d45ff21edeb583b3
            Session ID Length: 32
            Session ID: 57c9bf6452c61edcfd36bdf6ec54bd3b722ca83973e9da236fb9012366968220
            Cipher Suites Length: 98
            Cipher Suites (49 suites)
            Compression Methods Length: 1
            Compression Methods (1 method)
            Extensions Length: 284
            Extension: status_request (len=5)
            Extension: supported_groups (len=22)
            Extension: ec_point_formats (len=2)
            Extension: status_request_v2 (len=9)
            Extension: extended_master_secret (len=0)
            Extension: session_ticket (len=0)
            Extension: signature_algorithms (len=44)
            Extension: supported_versions (len=5) TLS 1.3, TLS 1.2
            Extension: psk_key_exchange_modes (len=2)
            Extension: signature_algorithms_cert (len=44)
            Extension: key_share (len=107) x25519, secp256r1
            [JA4: t13i491100_bd868743f55c_7c76daad20ec]
            [JA4_r [truncated]: t13i491100_002f,0032,0033,0035,0038,0039,003c,003d,0040,0067,006a,006b,009c,009d,009e,009f,00a2,00a3,00ff,1301,1302,1303,c004,c005,c009,c00a,c00e,c00f,c013,c014,c023,c024,c025,c026,c027,c028,c029,c02a,c02b,c02c,c02d,c02e]
            [JA3 Fullstring [truncated]: 771,4866-4865-4867-49196-49195-52393-49200-52392-49199-159-52394-163-158-162-49188-49192-49187-49191-107-106-103-64-49198-49202-49197-49201-49190-49194-49189-49193-49162-49172-49161-49171-57-56-51-50-49157-49167]
            [JA3: 57900674e6344e6daca60641dfd512dd]

What I'm missing here?

Jack Christensen · Answer 1 · Sat Feb 03 2024 22:36:44 GMT+0800 (China Standard Time)

First, I suggest using the package github.com/jackc/pgx/v5/pgproto3 instead of this package. This package was merged into pgx v5 well over a year ago.

Second, I'm not sure what's going in your situation, but my guess is the next thing you need to do on your server after accepting the SSLRequest PostgreSQL message is to use the crypto/tls package on your net.Conn to make it act as a TLS server.

Also, I would want to validate that psql is doing what you think it is. Use PGSSLMODE=require to ensure it is actually using SSL. It's possible it's working because it's not using SSL at all.

ThadeuFMelo · Answer 2 · Sat Feb 03 2024 22:55:29 GMT+0800 (China Standard Time)

Thanks. We decided to move forward without SSL for now. However, Datagrip and PowerBI drivers are very stringent with the protocol reject the connection if they don't have all the correct parameters. This was supposed to be a simple proxy, but I fear we would need to become as complex as a database server. Em sáb., 3 de fev. de 2024 11:36, Jack Christensen ***@***.***> escreveu:

…

First, I suggest using the package github.com/jackc/pgx/v5/pgproto3 instead of this package. This package was merged into pgx v5 well over a year ago. Second, I'm not sure what's going in your situation, but my guess is the next thing you need to do on your server after accepting the SSLRequest PostgreSQL message is to use the crypto/tls package on your net.Conn to make it act as a TLS server. Also, I would want to validate that psql is doing what you think it is. Use PGSSLMODE=require to ensure it is actually using SSL. It's possible it's working because it's not using SSL at all. — Reply to this email directly, view it on GitHub <#33 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/BFMKZM2H3EXOCYKXWNIGAHLYRZDQPAVCNFSM6AAAAABCTVERS6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMRVGM2DKMRRGU> . You are receiving this because you authored the thread.Message ID: ***@***.***>