| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Gustavsson Mikael <mikael(dot)gustavsson(at)smhi(dot)se> |
| Cc: | Stephen Frost <sfrost(at)snowman(dot)net>, Magnus Hagander <magnus(at)hagander(dot)net>, Kyotaro Horiguchi <horikyota(dot)ntt(at)gmail(dot)com>, "pgsql-general(at)postgresql(dot)org" <pgsql-general(at)postgresql(dot)org>, Svensson Peter <peter(dot)svensson(at)smhi(dot)se> |
| Subject: | Re: SV: SV: SV: SV: Problem with ssl and psql in Postgresql 13 |
| Date: | 2020-12-23 16:28:21 |
| Message-ID: | 723586.1608740901@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Gustavsson Mikael <mikael(dot)gustavsson(at)smhi(dot)se> writes:
> I did a final test before logging out for Christmas because i found a thread in hackers discussing some issue with GSS and SSL.
> So if i set gssencmode=disable on my pgsql-13 to postgres 13 server connection i get an SSL connection.
Oooh ... that's the missing ingredient. Do you have a GSS credentials
cache on the client side, but no support on the server side?
It looks like, if there is a credentials cache and gssencmode isn't
explicitly disabled, we try GSS first. If the server refuses that:
if (gss_ok == 'N')
{
/* Server doesn't want GSSAPI; fall back if we can */
if (conn->gssencmode[0] == 'r')
{
appendPQExpBufferStr(&conn->errorMessage,
libpq_gettext("server doesn't support GSSAPI encryption, but it was required\n"));
goto error_return;
}
conn->try_gss = false;
conn->status = CONNECTION_MADE;
return PGRES_POLLING_WRITING;
}
that is, it decides the connection it has is good enough. This
is not OK if SSL should have been used.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2020-12-23 20:58:46 | Re: SV: SV: SV: SV: Problem with ssl and psql in Postgresql 13 |
| Previous Message | Adrian Klaver | 2020-12-23 16:06:21 | Re: Information schema sql_identifier |