March 23, 2026
Press C to Panic?
The way CTRL-C in Postgres CLI cancels queries is incredibly hack-y
Postgres ‘Cancel’ Goes Naked: Devs Split Between ‘It’s Fine’ and ‘This Is Wild’
TLDR: Postgres’ command-line cancel still sends a separate, plaintext “stop” message, even though newer libraries can encrypt it. Commenters are split between “meh, bigger security issues exist” and “yikes, fix this,” with bonus nostalgia for old telnet tricks—important because it touches trust, uptime, and how we cancel safely.
Pressing Ctrl‑C in Postgres’ command line tool doesn’t just pause your query—it fires off a surprise, second connection to the server to yell “STOP!” And here’s the spicy bit: for decades, that “stop” was sent in plain, unencrypted text. The article calls it a decades‑old quirk, noting encryption for canceling only landed in the client library in Postgres 17, but the popular psql tool still sends it bare. Cue the comments.
The crowd split fast. One camp laughed nervously—YOLO cancel, indeed—and worried about denial‑of‑service risks (basically, someone spamming “STOP” to break things). Another camp shrugged: “If your database is exposed to the internet, you’ve got bigger problems,” as one commenter put it. A pragmatic voice asked the obvious: why not just use the same connection you already have? Why must cancel be “out of band”? Meanwhile, an old‑schooler revived 90s nostalgia: remember “urgent data” in TCP—the thing telnet used for Ctrl‑C?
Amid the drama, some praised the article for not fear‑mongering—“heebie‑jeebies level 6,” not 11—while others admitted they assumed it was encrypted because their main session was. The vibe: half “please fix this yesterday,” half “this has worked for 30 years, chill.” Either way, folks are watching to see when psql finally flips the switch to encrypted cancel.
Key Points
- •psql cancels queries by sending a CancelRequest over a new connection identified by process ID and a secret key from BackendKeyData.
- •Cancellation targets a connection, not a specific query, creating a race condition risk.
- •psql currently sends CancelRequest messages unencrypted, even when the main session uses strict TLS settings.
- •libpq added support for TLS-encrypted CancelRequest in PostgreSQL 17; some libpq-based drivers (e.g., ruby-pg) now use it.
- •Protocol v3.2 allows cancellation keys up to 256 bytes to mitigate brute-force risks; psql has not yet adopted encrypted cancellation due to signal-safety and refactoring needs.