Re: BUG #18095: Unintended non-SSL connection attempt by psql cli command after a failed password authentication

On Thu, 2023-09-07 at 16:44 +0000, PG Bug reporting form wrote:
> Bug reference:      18095
> Logged by:          Youssef TOURKI
> Email address:      ytourki(at)ext(dot)scaleway(dot)com
> PostgreSQL version: 14.9
> Operating system:   Ubuntu 22
> Description:       
>
> The bug is related to the psql client (cli) 
>
> When connecting to a PostgreSQL server (version 14) configured to only
> accept SSL connections, if a user provides an incorrect password, the psql
> client (version 14) returns two error messages in succession. The first
> message correctly indicates a password authentication failure, but the
> second suggests an unexpected non-SSL connection attempt.
>
> Steps to Reproduce:
>
> Configure the PostgreSQL server to accept only SSL connections.
> Use the psql client to connect to the server, intentionally providing an
> incorrect password.
> Observe the error messages returned.
> Expected Behavior:
>
> Upon providing an incorrect password, the user should receive a single error
> message related to the authentication failure. The client should not attempt
> a non-SSL connection, especially given that the server is configured to only
> accept SSL.
>
> Actual Behavior:
>
> Two error messages are displayed

This is no bug; it is working as designed and as documented; see
https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNECT-SSLMODE

The default SSL mode is "prefer": the first attempt is an encrypted connection,
if that fails, an unencrypted connection is tried.

To change that, you have to configure the client appropriately:

psql "host=... port=... user=... dbname=... password=... sslmode=require"

Alternatively, set the environment variable PGSSLMODE to "require".

Yours,
Laurenz Albe