Re: SV: Problem with ssl and psql in Postgresql 13
Magnus Hagander <magnus@hagander.net>
From: Magnus Hagander <magnus@hagander.net>
To: Gustavsson Mikael <mikael.gustavsson@smhi.se>
Cc: Tom Lane <tgl@sss.pgh.pa.us>, Kyotaro Horiguchi <horikyota.ntt@gmail.com>, "pgsql-general@postgresql.org" <pgsql-general@postgresql.org>,
Svensson Peter <peter.svensson@smhi.se>
Date: 2020-12-17T14:52:55Z
Lists: pgsql-general
On Thu, Dec 17, 2020 at 3:36 PM Gustavsson Mikael <mikael.gustavsson@smhi.se> wrote: > > > Hi, > > log_connections is on. The ERR message is correct, we do not have an entry for SSL off. > The question is why psql(13) is trying to connect without ssl? > > 2020-12-17T14:25:09.565566+00:00 server INFO [30-1] pgpid=2422778 pguser=[unknown] pghost=nnn.nn.n.nnn pgdb=[unknown] pgapp=[unknown] LOG: connection received: host=nnn.nn.n.nnn port=40112 > 2020-12-17T14:25:09.566411+00:00 server ERR [31-1] pgpid=2422778 pguser=kalle pghost=nnn.nn.n.nnn pgdb=postgres pgapp=[unknown] FATAL: no pg_hba.conf entry for host "nnn.nn.n.nnn", user "kalle", database "postgres", SSL off By default psql/libpq will fall back to a clear text connection if the ssl encrypted one failed. Specify sslmode=require (or preferably higher) in the connection string or set PGSSLMODE=require on the client to disable that behavior. If you do that, my guess is you will see a direct connection failure instead of that error? PostgreSQL 13 did change the default value for minimum tls version to 1.2. But that seems unlikely to be the problem since you get TLS 1.3 when you use the old version... I assume you're running both the 11 and the 13 client on the same host? -- Magnus Hagander Me: https://www.hagander.net/ Work: https://www.redpill-linpro.com/
Commits
-
Fix up usage of krb_server_keyfile GUC parameter.
- 861e967176e9 13.2 landed
- 860fe27ee1e2 14.0 landed
- 3ca19490b4f8 12.6 landed
-
Improve log messages related to pg_hba.conf not matching a connection.
- d05e14d786ac 13.2 landed
- 7ed616f818f0 12.6 landed
- 3995c424984e 14.0 landed
-
Fix assorted issues in backend's GSSAPI encryption support.
- c1c88bf03e1e 13.2 landed
- 622ae4621ece 14.0 landed
- 4cfdd8a47a9e 12.6 landed
-
Fix bugs in libpq's GSSAPI encryption support.
- ff6ce9a3a691 14.0 landed
- b3a5bf719cf7 12.6 landed
- 06b844c2b8d3 13.2 landed