SV: SV: SV: SV: Problem with ssl and psql in Postgresql 13

Hi,

I did a final test before logging out for Christmas because i found a thread in hackers discussing some issue with GSS and SSL.

So if i set gssencmode=disable on my pgsql-13 to postgres 13 server connection i get an SSL connection.

Is this expected behaviour?

$ /usr/pgsql-13/bin/psql "dbname=postgres user=kalle host=server gssencmode=disable"
Password for user kalle:
psql (13.1)
SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384, bits: 256, compression: off)
Type "help" for help.

postgres=>

KR, Mikael Gustavsson, SMHI

________________________________
Från: externaly-forwarded(at)smhi(dot)se <externaly-forwarded(at)smhi(dot)se> för Gustavsson Mikael <mikael(dot)gustavsson(at)smhi(dot)se>
Skickat: den 22 december 2020 09:07:17
Till: Tom Lane
Kopia: Magnus Hagander; Kyotaro Horiguchi; pgsql-general(at)postgresql(dot)org; Svensson Peter
Ämne: SV: SV: SV: SV: Problem with ssl and psql in Postgresql 13

Hi,

Yes it´s odd. I think we begin with download/reinstall and take it from there.

The server name is just letters and numbers so I think we can rule that out.

Christmas is coming up fast as usual so I think I will pick this up in January.

Thanks for all the help and Happy Christmas! Or God Jul as we say in Sweden.

KR

Mikael Gustavsson, SMHI

________________________________
Från: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Skickat: den 18 december 2020 21:02:50
Till: Gustavsson Mikael
Kopia: Magnus Hagander; Kyotaro Horiguchi; pgsql-general(at)postgresql(dot)org; Svensson Peter
Ämne: Re: SV: SV: SV: Problem with ssl and psql in Postgresql 13

Gustavsson Mikael <mikael(dot)gustavsson(at)smhi(dot)se> writes:
> pgsql-13 with require:
> $ /usr/pgsql-13/bin/psql "dbname=postgres user=kalle host=server sslmode=require"
> Password for user kalle:
> psql (13.1)
> Type "help" for help.

That is just bizarre. libpq should not ignore the sslmode=require option
like that, unless it thinks it's making a Unix-socket connection, which
it should not think given the host specification. (There's not a slash
in your server's real name, is there? But if there was, v11 should
misbehave too.)

It seems like there must be some environment setting, or maybe a service
file, changing the behavior from what it should be on its face. But
that theory has big flaws too: an explicit sslmode=require setting should
not be overridable from environment, and even if it was, why wouldn't v11
act the same?

The only other conclusion I can think of is that your copy of libpq.so
is broken. Maybe you should try redownloading/reinstalling v13.

regards, tom lane