From 3bd2486778cc3a69434181e02fa214f2c45c4b68 Mon Sep 17 00:00:00 2001
From: George MacKerron <georgemackerron@neon.tech>
Date: Wed, 30 Jul 2025 14:07:37 +0100
Subject: [PATCH] Check postgresql ALPN value for direct SSL connections

---
 proxy/src/pglb/handshake.rs | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/proxy/src/pglb/handshake.rs b/proxy/src/pglb/handshake.rs
index 25a2d01b4a..df6e5ecf8b 100644
--- a/proxy/src/pglb/handshake.rs
+++ b/proxy/src/pglb/handshake.rs
@@ -137,7 +137,13 @@ pub(crate) async fn handshake<S: AsyncRead + AsyncWrite + Unpin + Send>(
 
                         // check the ALPN, if exists, as required.
                         match conn_info.alpn_protocol() {
-                            None | Some(PG_ALPN_PROTOCOL) => {}
+                            None => {
+                                if direct.is_some() {
+                                    warn!("missing ALPN protocol 'postgresql'");
+                                    return Err(HandshakeError::ProtocolViolation);
+                                }
+                            }
+                            Some(PG_ALPN_PROTOCOL) => {}
                             Some(other) => {
                                 let alpn = String::from_utf8_lossy(other);
                                 warn!(%alpn, "unexpected ALPN");