Re: Problem with ssl and psql in Postgresql 13

At Thu, 24 Dec 2020 11:54:32 -0500, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote in
> I wrote:
> > Kyotaro Horiguchi <horikyota(dot)ntt(at)gmail(dot)com> writes:
> >> The attached the first patch does that.
>
> > +1, it seems like a clear oversight that the GSSENC patches didn't adjust
> > these messages. The reason SSL state is mentioned is that it's relevant
> > to which pg_hba entry gets chosen; and once we invented "hostgssenc"
> > entries, GSSENC state is also relevant.
>
> Thinking a little more about that: there are not four distinct states,
> because GSS and SSL can't both be enabled (ProcessStartupPacket enforces
> that). So I propose that instead of adding a new field, we make the
> existing field say one of three things: "GSS encryption", "SSL
> encryption", or "no encryption". As per attached. In the back branches,
> it might be best to spell these as "GSS encryption", "SSL on", and "SSL
> off", just to minimize the cosmetic change.

Looks good to me.

I tried the same case where

- did kinit
- pg_hba has hostssl line only

I saw the following lines in server log, which seems good.

FATAL: no pg_hba.conf entry for host "192.168.56.101", user "horiguti(at)MYDOMAIN(dot)COM", database "postgres", GSS encryption
FATAL: no pg_hba.conf entry for host "192.168.56.101", user "horiguti(at)MYDOMAIN(dot)COM", database "postgres", no encryption

regards.

--
Kyotaro Horiguchi
NTT Open Source Software Center