Re: Protocol problem with GSSAPI encryption?

On Fri, Dec 20, 2019 at 06:14:09PM +0000, Andrew Gierth wrote:
> >>>>> "Bruce" == Bruce Momjian <bruce(at)momjian(dot)us> writes:
>
> >> This came up recently on IRC, not sure if the report there was
> >> passed on at all.
> >>
> >> ProcessStartupPacket assumes that there will be only one negotiation
> >> request for an encrypted connection, but libpq is capable of issuing
> >> two: it will ask for GSS encryption first, if it looks like it will
> >> be able to do GSSAPI, and if the server refuses that it will ask (on
> >> the same connection) for SSL.
>
> Bruce> Are you saying that there is an additional round-trip for
> Bruce> starting all SSL connections because we now support GSSAPI, or
> Bruce> this only happens if libpq asks for GSSAPI?
>
> The problem only occurs if libpq thinks it might be able to do GSSAPI,
> but the server does not. Without the patch I proposed or something like
> it, this case fails to connect at all; with it, there will be an extra
> round-trip. Explicitly disabling GSSAPI encryption in the connection
> string or environment avoids the issue.
>
> The exact condition for libpq seems to be a successful call to
> gss_acquire_cred, but I'm not familiar with GSS in general.

Thanks for the clarification from you and Stephen.

--
Bruce Momjian <bruce(at)momjian(dot)us> http://momjian.us
EnterpriseDB http://enterprisedb.com

+ As you are, so once was I. As I am, so you will be. +
+ Ancient Roman grave inscription +