On 12/12/2020 13:52, Lukas Meisegeier wrote:
> Thanks for the provided ideas :)
> I use HaProxy for my load-balancing and unfortunately I can't define
> that I want to listen on a port for both ssl and non ssl requests.
Could you configure HaProxy to listen on separate ports for SSL and
non-SSL connections, then? And forward both to the same Postgres server.
> That means if I try to return a fixed response 'S' on the SSLRequest it
> fails with an SSL-Handshake failure cause the server expects a ssl message.
That doesn't sound right to me, or perhaps I have misunderstood what you
mean. If you don't send the SSLRequest to the Postgres server, but "eat"
it in the proxy, the Postgres server will not try to do an SSL handshake.
> I have to say the psql ssl handshake procedure is really unique and
> challenging :D
Yeah. IMAP and SMTP can use "STARTTLS" to switch an unencrypted
connection to encrypted, though. That's pretty similar to the
'SSLRequest' message used in the postgres protocol.
- Heikki