insecure connection: secure channel data mismatch
Hi, I'm trying to use the Tailscale
pgproxy to connect to our database:
https://tailscale.com/blog/introducing-pgproxy
https://github.com/tailscale/tailscale/tree/main/cmd/pgproxy
After running it locally and trying to connect to the database using psql with the connection url postgresql://<database-username>:<database-password>@<tailscale-hostname>:<port>/<database-name> , I get this error:
insecure connection: secure channel data mismatch
Any idea what might be causing this? It seems like it's probably making it to Neon servers but then getting denied at the door. Thanks!Don’t make databases available on the public internet
… But if you must, we made something that can help you do it right.
GitHub
tailscale/cmd/pgproxy at main · tailscale/tailscale
The easiest, most secure way to use WireGuard and 2FA. - tailscale/tailscale
5 Replies
adverse-sapphireOP•2y ago
i'm using this for the
cacert.pem when running pgproxy: https://curl.se/docs/caextract.html
i am not that familiar with the source code of the proxy but it looks like it basically just authenticates with tailscale then proxies the tcp connection through the tailscale network.
not sure if there are any options to psql or during the proxying that would be necessary to get around this issue, but i can't really find anything online about this particular error so i'm guessing that this is a Neon-specific errorcontinuing-cyan•2y ago
Neon offers MitM resistent log-ins, and tailscale's pgproxy is a MitM (even if it's a desired one). You need to disable channel binding while logging in.
correct-apricot•2y ago
CC @Daniel , docs material maybe?
adverse-sapphireOP•2y ago
Thanks for the heads up! so is the idea that the MitM resistance is opt-out, so that by default with a normal connection string you are protected, but if you need to like in this case the client can disable the MitM resistance with the
channel_binding=disable option? Thanks!continuing-cyan•2y ago
Correct