Thread

  1. Re: Protocol problem with GSSAPI encryption?

    Jakob Egger <jakob@eggerapps.at> — 2019-12-06T14:35:38Z

    > On 4. Dec 2019, at 06:24, Stephen Frost <sfrost@snowman.net> wrote:
    > 
    > Greetings,
    > 
    > * Andrew Gierth (andrew@tao11.riddles.org.uk) wrote:
    >>>>>>> "Peter" == Peter Eisentraut <peter.eisentraut@2ndquadrant.com> writes:
    >> 
    >>>> It seems to me that this is a bug in ProcessStartupPacket, which
    >>>> should accept both GSS or SSL negotiation requests on a connection
    >>>> (in either order). Maybe secure_done should be two flags rather than
    >>>> one?
    >> 
    >> Peter> I have also seen reports of that. I think your analysis is
    >> Peter> correct.
    >> 
    >> I figure something along these lines for the fix. Anyone in a position
    >> to test this?
    > 
    > At least at first blush, I tend to agree with your analysis and patch.
    
    I agree with the patch, but this also needs to be fixed on the client side.
    Otherwise libpq won't be able to connect to older servers.
    
    I'm attaching a proposed second patch to detect the error on the client side and reconnect to this message.
    
    This patch was first submitted as a separate thread here:
    https://www.postgresql.org/message-id/F27EEE9D-D04A-4B6B-B1F1-96EA4DD996D0@eggerapps.at
    
    
    Jakob