On Wed, May 24, 2023 at 02:12:23PM -0400, Dave Cramer wrote: > The last piece of information is the encryption state. However when an SSL > connection fails to authenticate the state is not encrypted. > > When would it ever be encrypted if authentication fails ?
I am not sure to follow. Under a SSL connection things should be encrypted. Or perhaps that's something related to hostssl and/or hostnossl? Back to the point, the SSL handshake happens before any authentication attempt and any HBA resolution, so a connection could be encrypted before authentication gets rejected. The error path you are pointing at would happen after the SSL handshake is done. For instance, take an HBA entry like that: # TYPE DATABASE USER ADDRESS METHOD host all all 127.0.0.1/32 reject Then, attempting a connection with sslmode=prefer, one can see the difference: $ psql -h 127.0.0.1 -d postgres -U postgres psql: error: connection to server at "127.0.0.1", port 5432 failed: FATAL: pg_hba.conf rejects connection for host "127.0.0.1", user "postgres", database "postgres", SSL encryption connection to server at "127.0.0.1", port 5432 failed: FATAL: pg_hba.conf rejects connection for host "127.0.0.1", user "postgres", database "postgres", no encryption -- Michael
signature.asc
Description: PGP signature
