[#461] fix ssl connection to postgres in server_passthrough

[ashu3103]

Refer #462

[jesperpedersen]

Ideally I would like to see the information inside

doc/tutorial/06_tls.md
doc/manual/advanced/08-tls.md

if you can find some way to "combine" it. Or we need it after the TLS chapter - therefore moving the vault chapter

[jesperpedersen]

@Userfrom1995 Can you take this one ?

[Userfrom1995]

@Userfrom1995 Can you take this one ?
Sure, I can take this one.

[jesperpedersen]

@Userfrom1995 Thanks, work with @ashu3103 to get it done

[ashu3103]

@Userfrom1995 hey,

In this PR one of our primary aim was to enable or more precisely fix the scram-sha-256 capabilities (can extend it to scram-sha-256-plus later on). The main issue I was facing is that while parsing AuthenticationSASL message from the server side, it includes the scram-sha-256-plus in the list which is not supported by pgagroal currently which was giving channel bonding errors at the client side. I will draft a more formal description of the issue and how I tried encountering it later (still finding my documented work 😓).

Till then you can go through security.c file and the SASL Authentication and the corresponding message exchanges. Also you can follow the tutorial/06_tls.md tutorial in the changed files (remember to replace md5 with scram-sha-256 in the pg_hba file) you will see the issue.

Edit: You can add this work and probably scram-sha-256-plus support as a part of your Security Enhancement milestones too.

Thanks

[jesperpedersen]

@Userfrom1995 Don't worry about the SCRAM-SHA-XYZ-PLUS and associated UTF-8 work right now (https://datatracker.ietf.org/doc/html/rfc7677 - #52, #51)

[Userfrom1995]

Hey @ashu3103 ,

Thanks for the heads-up and the detailed context — really helpful! I’ll go through security.c , try to reproduce the error, and see how best to address it.

Regarding the idea of adding support for scram-sha-256-plus, I agree — it’s a great addition and fits well within my security enhancement milestones. I’ll make sure to include it in the plan.

Appreciate your input!

[jesperpedersen]

@ashu3103 Can you rebase on master ?
@Userfrom1995 Can you give this a quick scan based on master ?

[jesperpedersen]

@ashu3103 cough

[ashu3103]

@ashu3103 cough

Hi @jesperpedersen, actually I am away from my workstation for a while. I'll ping you once I'll be back again

[jesperpedersen]

@fluca1978 Can you take a quick check ?

[fluca1978]

I've locally rebased it against master and run some tests, it works fine on my side.
@jesperpedersen would you like to merge this or do you think we need more tests?

[jesperpedersen]

@fluca1978 We can merge

[fluca1978]

Closing this since I merged.

Thanks @ashu3103 for your work.
Thanks @Userfrom1995 for your work too.