Re: SV: SV: SV: SV: Problem with ssl and psql in Postgresql 13
Tom Lane <tgl@sss.pgh.pa.us>
From: Tom Lane <tgl@sss.pgh.pa.us>
To: Gustavsson Mikael <mikael.gustavsson@smhi.se>
Cc: Stephen Frost <sfrost@snowman.net>, Magnus Hagander <magnus@hagander.net>,
Kyotaro Horiguchi <horikyota.ntt@gmail.com>,
"pgsql-general@postgresql.org" <pgsql-general@postgresql.org>,
Svensson Peter <peter.svensson@smhi.se>
Date: 2020-12-23T16:28:21Z
Lists: pgsql-general
Gustavsson Mikael <mikael.gustavsson@smhi.se> writes:
> I did a final test before logging out for Christmas because i found a thread in hackers discussing some issue with GSS and SSL.
> So if i set gssencmode=disable on my pgsql-13 to postgres 13 server connection i get an SSL connection.
Oooh ... that's the missing ingredient. Do you have a GSS credentials
cache on the client side, but no support on the server side?
It looks like, if there is a credentials cache and gssencmode isn't
explicitly disabled, we try GSS first. If the server refuses that:
if (gss_ok == 'N')
{
/* Server doesn't want GSSAPI; fall back if we can */
if (conn->gssencmode[0] == 'r')
{
appendPQExpBufferStr(&conn->errorMessage,
libpq_gettext("server doesn't support GSSAPI encryption, but it was required\n"));
goto error_return;
}
conn->try_gss = false;
conn->status = CONNECTION_MADE;
return PGRES_POLLING_WRITING;
}
that is, it decides the connection it has is good enough. This
is not OK if SSL should have been used.
regards, tom lane
Commits
-
Fix up usage of krb_server_keyfile GUC parameter.
- 861e967176e9 13.2 landed
- 860fe27ee1e2 14.0 landed
- 3ca19490b4f8 12.6 landed
-
Improve log messages related to pg_hba.conf not matching a connection.
- d05e14d786ac 13.2 landed
- 7ed616f818f0 12.6 landed
- 3995c424984e 14.0 landed
-
Fix assorted issues in backend's GSSAPI encryption support.
- c1c88bf03e1e 13.2 landed
- 622ae4621ece 14.0 landed
- 4cfdd8a47a9e 12.6 landed
-
Fix bugs in libpq's GSSAPI encryption support.
- ff6ce9a3a691 14.0 landed
- b3a5bf719cf7 12.6 landed
- 06b844c2b8d3 13.2 landed