Re: Protocol problem with GSSAPI encryption?
Peter Eisentraut <peter.eisentraut@2ndquadrant.com>
From: Peter Eisentraut <peter.eisentraut@2ndquadrant.com>
To: Andrew Gierth <andrew@tao11.riddles.org.uk>,
pgsql-hackers@lists.postgresql.org
Date: 2019-12-02T16:06:30Z
Lists: pgsql-hackers
On 2019-12-01 02:13, Andrew Gierth wrote: > But ProcessStartupPacket assumes that the packet after a failed > negotiation of either kind will be the actual startup packet, so the SSL > connection request is rejected with "unsupported version 1234.5679". > > I'm guessing this usually goes unnoticed because most people are > probably not set up to do GSSAPI, and those who are are probably ok with > using it for encryption. But if the client is set up for GSSAPI and the > server not, then trying to do an SSL connection will fail when it should > succeed, and PGGSSENCMODE=disable in the environment (or connect string) > is necessary to get the connection to succeed. > > It seems to me that this is a bug in ProcessStartupPacket, which should > accept both GSS or SSL negotiation requests on a connection (in either > order). Maybe secure_done should be two flags rather than one? I have also seen reports of that. I think your analysis is correct. -- Peter Eisentraut http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
Commits
-
Fix GSS client to non-GSS server connection
- 79e594cf0475 12.3 landed
- b68a560f8ebf 13.0 landed