Re: SV: Problem with ssl and psql in Postgresql 13

Magnus Hagander <magnus@hagander.net>

From: Magnus Hagander <magnus@hagander.net>
To: Gustavsson Mikael <mikael.gustavsson@smhi.se>
Cc: Tom Lane <tgl@sss.pgh.pa.us>, Kyotaro Horiguchi <horikyota.ntt@gmail.com>, "pgsql-general@postgresql.org" <pgsql-general@postgresql.org>, Svensson Peter <peter.svensson@smhi.se>
Date: 2020-12-17T14:52:55Z
Lists: pgsql-general
On Thu, Dec 17, 2020 at 3:36 PM Gustavsson Mikael
<mikael.gustavsson@smhi.se> wrote:
>
>
> Hi,
>
> log_connections is on. The ERR message is correct, we do not have an entry for SSL off.
> The question is why psql(13) is trying to connect without ssl?
>
> 2020-12-17T14:25:09.565566+00:00 server INFO [30-1] pgpid=2422778 pguser=[unknown] pghost=nnn.nn.n.nnn pgdb=[unknown] pgapp=[unknown] LOG:  connection received: host=nnn.nn.n.nnn port=40112
> 2020-12-17T14:25:09.566411+00:00 server ERR [31-1] pgpid=2422778 pguser=kalle pghost=nnn.nn.n.nnn pgdb=postgres pgapp=[unknown] FATAL:  no pg_hba.conf entry for host "nnn.nn.n.nnn", user "kalle", database "postgres", SSL off


By default psql/libpq will fall back to a clear text connection if the
ssl encrypted one failed. Specify sslmode=require (or preferably
higher) in the connection string or set PGSSLMODE=require on the
client to disable that behavior. If you do that, my guess is you will
see a direct connection failure instead of that error?

PostgreSQL 13 did change the default value for minimum tls version to
1.2. But that seems unlikely to be the problem since you get TLS 1.3
when you use the old version...

I assume you're running both the 11 and the 13 client on the same host?

-- 
 Magnus Hagander
 Me: https://www.hagander.net/
 Work: https://www.redpill-linpro.com/



Commits

  1. Fix up usage of krb_server_keyfile GUC parameter.

  2. Improve log messages related to pg_hba.conf not matching a connection.

  3. Fix assorted issues in backend's GSSAPI encryption support.

  4. Fix bugs in libpq's GSSAPI encryption support.