Direct TLS can speed up your connections

Summary

Here are those same Postgres docs again, this time on version 17. There’s new content! A second alternate way to initiate SSL encryption is available. The server will recognize connections which immediately begin SSL negotiation without any previous SSLRequest packets. Once the SSL connection is established the server will expect a normal startup-request packet and continue negotiation over the encrypted channel. What this is saying is that if you’re using Postgres 17+ on both the server and client, you can skip steps 1 and 2 from earlier. You can just start with a TLS handshake. To turn this feature on in the client, you need three things: A Postgres 17+ client sslmode=require, set as a connection parameter, or via $PGSSLMODE sslnegotiation=direct, set as a connection parameter We added this feature to Aurora DSQL, and boom, problem solved. No more 3 second stalls. By making the server support direct TLS, that second connection opened by the firewall would succeed. The Postgres docs go on to say: In this case any other requests for encryption will be refused. This method is not preferred for general purpose tools as it cannot negotiate the best connection encryption available or handle unencrypted connections. However it is useful for environments where both the server and client are controlled together. In that case it avoids one round trip of latency and allows the use of network tools that depend on standard SSL connections. When using SSL connections in this style the client is required to use the ALPN extension defined by RFC 7301 to protect against protocol confusion attacks. The PostgreSQL protocol is “postgresql” as registered at IANA TLS ALPN Protocol IDs registry. Saving a round trip is cool! Who doesn’t like faster connections? Aurora DSQL, like most AWS services, is TLS-only. If you connect to DSQL without requesting TLS, you’ll get rejected: psql "host=beabuc4gtix7m2hr6xh2huewkm.dsql.us-west-2.on.aws sslmode=disable" FATAL: unable to accept connection,...