Re: Protocol problem with GSSAPI encryption?
Andrew Gierth <andrew@tao11.riddles.org.uk>
From: Andrew Gierth <andrew@tao11.riddles.org.uk>
To: Bruce Momjian <bruce@momjian.us>
Cc: pgsql-hackers@lists.postgresql.org
Date: 2019-12-20T18:14:09Z
Lists: pgsql-hackers
>>>>> "Bruce" == Bruce Momjian <bruce@momjian.us> writes: >> This came up recently on IRC, not sure if the report there was >> passed on at all. >> >> ProcessStartupPacket assumes that there will be only one negotiation >> request for an encrypted connection, but libpq is capable of issuing >> two: it will ask for GSS encryption first, if it looks like it will >> be able to do GSSAPI, and if the server refuses that it will ask (on >> the same connection) for SSL. Bruce> Are you saying that there is an additional round-trip for Bruce> starting all SSL connections because we now support GSSAPI, or Bruce> this only happens if libpq asks for GSSAPI? The problem only occurs if libpq thinks it might be able to do GSSAPI, but the server does not. Without the patch I proposed or something like it, this case fails to connect at all; with it, there will be an extra round-trip. Explicitly disabling GSSAPI encryption in the connection string or environment avoids the issue. The exact condition for libpq seems to be a successful call to gss_acquire_cred, but I'm not familiar with GSS in general. -- Andrew (irc:RhodiumToad)
Commits
-
Fix GSS client to non-GSS server connection
- 79e594cf0475 12.3 landed
- b68a560f8ebf 13.0 landed