| From: | jian xu <jamesxu(at)outlook(dot)com> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | pgsql-admin <pgsql-admin(at)postgresql(dot)org> |
| Subject: | Re: pg13 psql can't connect pg instance with ssl enabled after upgrading |
| Date: | 2021-02-12 22:52:14 |
| Message-ID: | BL0PR02MB45612EA590D8ACB9A14A0E7BA18B9@BL0PR02MB4561.namprd02.prod.outlook.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-admin |
Thanks Tom. you are right, we are using GSS authentication. and psql version is 13.1
postgresql_13_1/bin/psql --version
psql (PostgreSQL) 13.1
and if I don't enforce ssl connection in pg_hba.conf file(don't use hostssl, and use host), pg13 psql could connect
postgresql_13_1/bin/psql "sslmode=require host=xxxxx dbname=postgres"
psql (13.1)
GSSAPI-encrypted connection
Type "help" for help.
pg13 psql can also login with ssl connection on pg11 instance
postgresql_13_1/bin/psql "sslmode=require host=bbbbbbb dbname=postgres"
psql (13.1, server 11.8)
SSL connection (protocol: TLSv1.2, cipher: ECDHE-RSA-AES256-GCM-SHA384, bits: 256, compression: off)
Type "help" for help.
and pg11 psql can also login pg13 instance with ssl enabled
public_postgresql_11_8/bin/psql "sslmode=require host=xxxxxx dbname=postgres"
psql (11.8, server 13.1)
WARNING: psql major version 11, server major version 13.
Some psql features might not work.
SSL connection (protocol: TLSv1.2, cipher: ECDHE-RSA-AES256-GCM-SHA384, bits: 256, compression: off)
Type "help" for help.
only pg13 psql doesn't work with pg13 instance with ssl enabled.......
shall I try pg13.2 first?
thanks,
James
________________________________
From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Sent: Friday, February 12, 2021 16:50
To: jian xu <jamesxu(at)outlook(dot)com>
Cc: pgsql-admin <pgsql-admin(at)postgresql(dot)org>
Subject: Re: pg13 psql can't connect pg instance with ssl enabled after upgrading
jian xu <jamesxu(at)outlook(dot)com> writes:
> the instance didn't have ssl enabled, we upgraded it to pg13, then enabled ssl, however when we try to login with pg13 psql 13, psql always try ssl=off to login
> public_postgresql_13_1/bin/psql "sslmode=require host=xxxxxx dbname=postgres"
> psql: error: FATAL: no pg_hba.conf entry for host "xxxxx", user "xxxx", database "postgres", SSL off
Are you entirely sure that that version of psql (or more accurately,
the libpq it's linked to) was built with SSL support?
If you are in an environment where GSS encryption is possible, it
could also be that you're being bit by the recently-fixed bug that
libpq didn't fall back from GSS to SSL encryption correctly [1].
That seems unlikely though, as both client and server would need to
possess active Kerberos tickets.
regards, tom lane
[1] https://git.postgresql.org/gitweb/?p=postgresql.git&a=commitdiff&h=06b844c2b
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2021-02-12 22:59:46 | Re: pg13 psql can't connect pg instance with ssl enabled after upgrading |
| Previous Message | Pepe TD Vo | 2021-02-12 22:18:17 | pg_baseback could not connect in AWS linux 2 |