From e3e5ba1e519db6d3617bef5601c92dd11356d01a Mon Sep 17 00:00:00 2001 From: Tatsuo Ishii Date: Mon, 18 Nov 2024 15:40:53 +0900 Subject: [PATCH] Abort SSL negotiation if backend sends an error message. In the client side implementation of SSL negotiation (pool_ssl_negotiate_clientserver()), it was possible for a man-in-the-middle attacker to send a long error message to confuse Pgpool-II or client while in the SSL negotiation phase. This commit rejects the negotiation immediately (issue a FATAL error) and exits the session to prevent such an attack. This resembles PostgreSQL's CVE-2024-10977. Backpatch-through: v4.1 --- src/utils/pool_ssl.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/src/utils/pool_ssl.c b/src/utils/pool_ssl.c index 692616714..8d3c8cafc 100644 --- a/src/utils/pool_ssl.c +++ b/src/utils/pool_ssl.c @@ -152,6 +152,16 @@ pool_ssl_negotiate_clientserver(POOL_CONNECTION * cp) (errmsg("attempting to negotiate a secure connection"), errdetail("server doesn't want to talk SSL"))); break; + case 'E': + /* + * Server failure of some sort, such as failure to fork a backend + * process. Don't bother retrieving the error message; we should + * not trust it as the server has not been authenticated yet. + */ + ereport(FATAL, + (errcode(ERRCODE_PROTOCOL_VIOLATION), + errmsg("server sent an error response during SSL exchange"))); + break; default: ereport(WARNING, (errmsg("error while attempting to negotiate a secure connection, unhandled response: %c", server_response))); -- 2.39.5