Re: SV: SV: SV: SV: Problem with ssl and psql in Postgresql 13

Tom Lane <tgl@sss.pgh.pa.us>

From: Tom Lane <tgl@sss.pgh.pa.us>
To: Gustavsson Mikael <mikael.gustavsson@smhi.se>
Cc: Stephen Frost <sfrost@snowman.net>, Magnus Hagander <magnus@hagander.net>, Kyotaro Horiguchi <horikyota.ntt@gmail.com>, "pgsql-general@postgresql.org" <pgsql-general@postgresql.org>, Svensson Peter <peter.svensson@smhi.se>
Date: 2020-12-23T16:28:21Z
Lists: pgsql-general
Gustavsson Mikael <mikael.gustavsson@smhi.se> writes:
> I did a final test before logging out for Christmas because i found a thread in hackers discussing some issue with GSS and SSL.
> So if i set gssencmode=disable on my pgsql-13 to postgres 13 server connection i get an SSL connection.

Oooh ... that's the missing ingredient.  Do you have a GSS credentials
cache on the client side, but no support on the server side?

It looks like, if there is a credentials cache and gssencmode isn't
explicitly disabled, we try GSS first.  If the server refuses that:

                    if (gss_ok == 'N')
                    {
                        /* Server doesn't want GSSAPI; fall back if we can */
                        if (conn->gssencmode[0] == 'r')
                        {
                            appendPQExpBufferStr(&conn->errorMessage,
                                                 libpq_gettext("server doesn't support GSSAPI encryption, but it was required\n"));
                            goto error_return;
                        }

                        conn->try_gss = false;
                        conn->status = CONNECTION_MADE;
                        return PGRES_POLLING_WRITING;
                    }

that is, it decides the connection it has is good enough.  This
is not OK if SSL should have been used.

			regards, tom lane



Commits

  1. Fix up usage of krb_server_keyfile GUC parameter.

  2. Improve log messages related to pg_hba.conf not matching a connection.

  3. Fix assorted issues in backend's GSSAPI encryption support.

  4. Fix bugs in libpq's GSSAPI encryption support.