Error in ReceiveStartupMessage during SSL handshake
ThadeuFMelo opened this issue · comments
I'm building a query interface compatible with PostgreSQL and for now the connection works only for a simple cli psql.
Now I'm testing the connection with Datagrip and other IDEs and be compatible with PowerBI and Metabase connectors.
I'm encountering an error when trying to receive a startup message in my Go application using the ReceiveStartupMessage method from my backend package. The error message is 'invalid length of startup packet: 369296125'.
`func (p *PgBackend) handleSSLRequest(sslRequest pgproto3.SSLRequest) (int, error) {
conn := p.conn
sslRequest.Frontend()
//Send SSL response
//SSL Response: Willing to perform SSL ('S')
_, err := conn.Write([]byte("S"))
if err != nil {
return 0, err
}
return 1, nil
}`
After return 'S', I get in Wireshark a TLS "Hello Client" message from Datagrip
Transport Layer Security
TLSv1.2 Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 459
Handshake Protocol: Client Hello
Handshake Type: Client Hello (1)
Length: 455
Version: TLS 1.2 (0x0303)
Random: 8332ce2ecb4a640f9d193a260c0cabd221cf84cad619e2a6d45ff21edeb583b3
Session ID Length: 32
Session ID: 57c9bf6452c61edcfd36bdf6ec54bd3b722ca83973e9da236fb9012366968220
Cipher Suites Length: 98
Cipher Suites (49 suites)
Compression Methods Length: 1
Compression Methods (1 method)
Extensions Length: 284
Extension: status_request (len=5)
Extension: supported_groups (len=22)
Extension: ec_point_formats (len=2)
Extension: status_request_v2 (len=9)
Extension: extended_master_secret (len=0)
Extension: session_ticket (len=0)
Extension: signature_algorithms (len=44)
Extension: supported_versions (len=5) TLS 1.3, TLS 1.2
Extension: psk_key_exchange_modes (len=2)
Extension: signature_algorithms_cert (len=44)
Extension: key_share (len=107) x25519, secp256r1
[JA4: t13i491100_bd868743f55c_7c76daad20ec]
[JA4_r [truncated]: t13i491100_002f,0032,0033,0035,0038,0039,003c,003d,0040,0067,006a,006b,009c,009d,009e,009f,00a2,00a3,00ff,1301,1302,1303,c004,c005,c009,c00a,c00e,c00f,c013,c014,c023,c024,c025,c026,c027,c028,c029,c02a,c02b,c02c,c02d,c02e]
[JA3 Fullstring [truncated]: 771,4866-4865-4867-49196-49195-52393-49200-52392-49199-159-52394-163-158-162-49188-49192-49187-49191-107-106-103-64-49198-49202-49197-49201-49190-49194-49189-49193-49162-49172-49161-49171-57-56-51-50-49157-49167]
[JA3: 57900674e6344e6daca60641dfd512dd]
What I'm missing here?
First, I suggest using the package github.com/jackc/pgx/v5/pgproto3 instead of this package. This package was merged into pgx v5 well over a year ago.
Second, I'm not sure what's going in your situation, but my guess is the next thing you need to do on your server after accepting the SSLRequest
PostgreSQL message is to use the crypto/tls
package on your net.Conn
to make it act as a TLS server.
Also, I would want to validate that psql is doing what you think it is. Use PGSSLMODE=require to ensure it is actually using SSL. It's possible it's working because it's not using SSL at all.