Re: SV: SV: SV: SV: Problem with ssl and psql in Postgresql 13
Tom Lane <tgl@sss.pgh.pa.us>
From: Tom Lane <tgl@sss.pgh.pa.us>
To: Gustavsson Mikael <mikael.gustavsson@smhi.se>
Cc: Stephen Frost <sfrost@snowman.net>, Magnus Hagander <magnus@hagander.net>,
Kyotaro Horiguchi <horikyota.ntt@gmail.com>,
"pgsql-general@postgresql.org" <pgsql-general@postgresql.org>,
Svensson Peter <peter.svensson@smhi.se>
Date: 2020-12-23T20:58:46Z
Lists: pgsql-general
I wrote: > Gustavsson Mikael <mikael.gustavsson@smhi.se> writes: >> So if i set gssencmode=disable on my pgsql-13 to postgres 13 server connection i get an SSL connection. > It looks like, if there is a credentials cache and gssencmode isn't > explicitly disabled, we try GSS first. If the server refuses that: > ... > that is, it decides the connection it has is good enough. This > is not OK if SSL should have been used. No, I misread the code; what will happen next is that an SSL connection will be tried. At least, it looks like that should happen, and it does happen for me. However: it is true (and undocumented, so we have at least a docs bug to fix) that v12-and-later libpq will try for GSS encryption first, and if it succeeds then it will not consider using SSL, regardless of sslmode. So about 95% of your report could be explained by assuming that you have a working Kerberos environment and the newer libpq is preferring GSS encryption over SSL. There is just one thing this theory is failing to explain: instead of "SSL connection", psql should have printed "GSSAPI-encrypted connection" in your test shown in <d3ab9042bce34aae85d323d69e3ee430@smhi.se>. It didn't, so this can't be the true explanation. I think what must be happening is that libpq is trying for GSS (hence you have at least a credentials cache somewhere), failing to establish it, and then for some reason advancing to the startup-packet step without trying for SSL. But I can't see how to get the state machine to do that. Have you got any environment variables, service files, etc that would affect libpq's behavior? regards, tom lane
Commits
-
Fix up usage of krb_server_keyfile GUC parameter.
- 861e967176e9 13.2 landed
- 860fe27ee1e2 14.0 landed
- 3ca19490b4f8 12.6 landed
-
Improve log messages related to pg_hba.conf not matching a connection.
- d05e14d786ac 13.2 landed
- 7ed616f818f0 12.6 landed
- 3995c424984e 14.0 landed
-
Fix assorted issues in backend's GSSAPI encryption support.
- c1c88bf03e1e 13.2 landed
- 622ae4621ece 14.0 landed
- 4cfdd8a47a9e 12.6 landed
-
Fix bugs in libpq's GSSAPI encryption support.
- ff6ce9a3a691 14.0 landed
- b3a5bf719cf7 12.6 landed
- 06b844c2b8d3 13.2 landed