SV: SV: SV: Problem with ssl and psql in Postgresql 13

Hi,

I did some more tests to try to narrow it down. For me it only added to the confusion but maybe it tells you something.

Test 1:

I changed my pg_hba.conf from hostssl to host.

Now I can connect but SSL is not used even if i use require.

pgsql-13:

$ /usr/pgsql-13/bin/psql -d postgres -Ukalle -hserver
Password for user kalle:
psql (13.1)
Type "help" for help.

postgres=>

pgsql-13 with require:
$ /usr/pgsql-13/bin/psql "dbname=postgres user=kalle host=server sslmode=require"
Password for user kalle:
psql (13.1)
Type "help" for help.

postgres=>

pgsql-11 for reference:
$ /usr/pgsql-11/bin/psql -d postgres -Ukalle -hserver
Password for user kalle:
psql (11.10, server 13.1)
WARNING: psql major version 11, server major version 13.
Some psql features might not work.
SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384, bits: 256, compression: off)
Type "help" for help.

postgres=>

Test2:

It works when i connect pgsql-13 client to a postgresql-11 server. So it´s only the combination pgsql-13 client and postgresql-13 server that does not work.

$ /usr/pgsql-13/bin/psql -d postgres -Ukalle -hserver11
Password for user kalle:
psql (13.1, server 11.10)
SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384, bits: 256, compression: off)
Type "help" for help.

postgres=>

KR Mikael Gustavsson, SMHI

________________________________
Från: externaly-forwarded(at)smhi(dot)se <externaly-forwarded(at)smhi(dot)se> för Gustavsson Mikael <mikael(dot)gustavsson(at)smhi(dot)se>
Skickat: den 17 december 2020 17:33:13
Till: Tom Lane
Kopia: Magnus Hagander; Kyotaro Horiguchi; pgsql-general(at)postgresql(dot)org; Svensson Peter
Ämne: SV: SV: SV: Problem with ssl and psql in Postgresql 13

Here is the result.

ldd /usr/pgsql-13/bin/psql
linux-vdso.so.1 (0x00007ffd714d5000)
libpq.so.5 => /usr/pgsql-13/lib/libpq.so.5 (0x00007f2d1700a000)
libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f2d16dea000)
libreadline.so.7 => /lib64/libreadline.so.7 (0x00007f2d16b9b000)
libm.so.6 => /lib64/libm.so.6 (0x00007f2d16819000)
libc.so.6 => /lib64/libc.so.6 (0x00007f2d16456000)
libssl.so.1.1 => /lib64/libssl.so.1.1 (0x00007f2d161c2000)
libcrypto.so.1.1 => /lib64/libcrypto.so.1.1 (0x00007f2d15cdc000)
libgssapi_krb5.so.2 => /lib64/libgssapi_krb5.so.2 (0x00007f2d15a87000)
libldap_r-2.4.so.2 => /lib64/libldap_r-2.4.so.2 (0x00007f2d15830000)
/lib64/ld-linux-x86-64.so.2 (0x00007f2d1725b000)
libtinfo.so.6 => /lib64/libtinfo.so.6 (0x00007f2d15603000)
libz.so.1 => /lib64/libz.so.1 (0x00007f2d153ec000)
libdl.so.2 => /lib64/libdl.so.2 (0x00007f2d151e8000)
libkrb5.so.3 => /lib64/libkrb5.so.3 (0x00007f2d14eff000)
libk5crypto.so.3 => /lib64/libk5crypto.so.3 (0x00007f2d14ce8000)
libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00007f2d14ae4000)
libkrb5support.so.0 => /lib64/libkrb5support.so.0 (0x00007f2d148d3000)
libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x00007f2d146cf000)
libresolv.so.2 => /lib64/libresolv.so.2 (0x00007f2d144b8000)
liblber-2.4.so.2 => /lib64/liblber-2.4.so.2 (0x00007f2d142a8000)
libsasl2.so.3 => /lib64/libsasl2.so.3 (0x00007f2d1408a000)
libselinux.so.1 => /lib64/libselinux.so.1 (0x00007f2d13e60000)
libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00007f2d13c37000)
libpcre2-8.so.0 => /lib64/libpcre2-8.so.0 (0x00007f2d139b3000)

ldd /usr/pgsql-13/lib/libpq.so.5
linux-vdso.so.1 (0x00007fff51f79000)
libssl.so.1.1 => /lib64/libssl.so.1.1 (0x00007f88432d1000)
libcrypto.so.1.1 => /lib64/libcrypto.so.1.1 (0x00007f8842deb000)
libgssapi_krb5.so.2 => /lib64/libgssapi_krb5.so.2 (0x00007f8842b96000)
libldap_r-2.4.so.2 => /lib64/libldap_r-2.4.so.2 (0x00007f884293f000)
libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f884271f000)
libc.so.6 => /lib64/libc.so.6 (0x00007f884235c000)
libz.so.1 => /lib64/libz.so.1 (0x00007f8842145000)
libdl.so.2 => /lib64/libdl.so.2 (0x00007f8841f41000)
libkrb5.so.3 => /lib64/libkrb5.so.3 (0x00007f8841c58000)
libk5crypto.so.3 => /lib64/libk5crypto.so.3 (0x00007f8841a41000)
libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00007f884183d000)
libkrb5support.so.0 => /lib64/libkrb5support.so.0 (0x00007f884162c000)
libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x00007f8841428000)
libresolv.so.2 => /lib64/libresolv.so.2 (0x00007f8841211000)
liblber-2.4.so.2 => /lib64/liblber-2.4.so.2 (0x00007f8841001000)
libsasl2.so.3 => /lib64/libsasl2.so.3 (0x00007f8840de3000)
/lib64/ld-linux-x86-64.so.2 (0x00007f88437b6000)
libselinux.so.1 => /lib64/libselinux.so.1 (0x00007f8840bb9000)
libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00007f8840990000)
libpcre2-8.so.0 => /lib64/libpcre2-8.so.0 (0x00007f884070c000)

/Mikael

________________________________
Från: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Skickat: den 17 december 2020 17:25:31
Till: Gustavsson Mikael
Kopia: Magnus Hagander; Kyotaro Horiguchi; pgsql-general(at)postgresql(dot)org; Svensson Peter
Ämne: Re: SV: SV: Problem with ssl and psql in Postgresql 13

Gustavsson Mikael <mikael(dot)gustavsson(at)smhi(dot)se> writes:
> $ /usr/pgsql-13/bin/psql "dbname=postgres user=kalle host=server sslmode=require"
> psql: error: FATAL: no pg_hba.conf entry for host "nn.nnn.n.nnn", user "kalle", database "postgres", SSL off
> FATAL: no pg_hba.conf entry for host "nn.nnn.n.nnn", user "kalle", database "postgres", SSL off

It'd be useful to verify that that version of psql+libpq is actually
built with ssl support. Try

ldd /usr/pgsql-13/bin/psql

and then repeat "ldd" on whichever libpq.so is mentioned in the output.

regards, tom lane