Re: Problem with ssl and psql in Postgresql 13

Tom Lane <tgl@sss.pgh.pa.us>

From: Tom Lane <tgl@sss.pgh.pa.us>
To: Kyotaro Horiguchi <horikyota.ntt@gmail.com>
Cc: sfrost@snowman.net, mikael.gustavsson@smhi.se, magnus@hagander.net, pgsql-general@postgresql.org, peter.svensson@smhi.se
Date: 2020-12-24T16:54:32Z
Lists: pgsql-general

Attachments

I wrote:
> Kyotaro Horiguchi <horikyota.ntt@gmail.com> writes:
>> The attached the first patch does that.

> +1, it seems like a clear oversight that the GSSENC patches didn't adjust
> these messages.  The reason SSL state is mentioned is that it's relevant
> to which pg_hba entry gets chosen; and once we invented "hostgssenc"
> entries, GSSENC state is also relevant.

Thinking a little more about that: there are not four distinct states,
because GSS and SSL can't both be enabled (ProcessStartupPacket enforces
that).  So I propose that instead of adding a new field, we make the
existing field say one of three things: "GSS encryption", "SSL
encryption", or "no encryption".  As per attached.  In the back branches,
it might be best to spell these as "GSS encryption", "SSL on", and "SSL
off", just to minimize the cosmetic change.

			regards, tom lane

Commits

  1. Fix up usage of krb_server_keyfile GUC parameter.

  2. Improve log messages related to pg_hba.conf not matching a connection.

  3. Fix assorted issues in backend's GSSAPI encryption support.

  4. Fix bugs in libpq's GSSAPI encryption support.