Postgres 如何协商 TLS 的使用?
How Postgres negotiate TLS usage?
我对 Postgres 选项 sslmode=prefer 有点困惑。这意味着它与服务器协商以确定服务器是否支持TLS。
我很好奇它是怎么做到的。它是否首先尝试 TLS,如果失败,请尝试不使用 TLS,或者我是否遗漏了 TLS(或 Postgres)中的某些内容,使他们能够真正协商?
Does it try TLS first and if it fails, try without TLS
是的。当两次尝试都失败时,这可能是可见的,因为可能会产生两条不同的错误消息。
@janes 回答的一些附加信息:
https://www.postgresql.org/docs/current/protocol-flow.html
To initiate an SSL-encrypted connection, the frontend initially sends
an SSLRequest message rather than a StartupMessage. The server then
responds with a single byte containing S or N, indicating that it is
willing or unwilling to perform SSL, respectively. The frontend might
close the connection at this point if it is dissatisfied with the
response. To continue after S, perform an SSL startup handshake (not
described here, part of the SSL specification) with the server. If
this is successful, continue with sending the usual StartupMessage. In
this case the StartupMessage and all subsequent data will be
SSL-encrypted. To continue after N, send the usual StartupMessage and
proceed without encryption.
我对 Postgres 选项 sslmode=prefer 有点困惑。这意味着它与服务器协商以确定服务器是否支持TLS。
我很好奇它是怎么做到的。它是否首先尝试 TLS,如果失败,请尝试不使用 TLS,或者我是否遗漏了 TLS(或 Postgres)中的某些内容,使他们能够真正协商?
Does it try TLS first and if it fails, try without TLS
是的。当两次尝试都失败时,这可能是可见的,因为可能会产生两条不同的错误消息。
@janes 回答的一些附加信息:
https://www.postgresql.org/docs/current/protocol-flow.html
To initiate an SSL-encrypted connection, the frontend initially sends an SSLRequest message rather than a StartupMessage. The server then responds with a single byte containing S or N, indicating that it is willing or unwilling to perform SSL, respectively. The frontend might close the connection at this point if it is dissatisfied with the response. To continue after S, perform an SSL startup handshake (not described here, part of the SSL specification) with the server. If this is successful, continue with sending the usual StartupMessage. In this case the StartupMessage and all subsequent data will be SSL-encrypted. To continue after N, send the usual StartupMessage and proceed without encryption.