Re: Problem with ssl and psql in Postgresql 13

2020-12-30 Thread Tom Lane
Stephen Frost writes: > * Tom Lane (t...@sss.pgh.pa.us) wrote: >> I think we'd be best off to always override KRB5_KTNAME if we have a >> nonempty krb_server_keyfile setting, so the attached proposed patch >> makes both functions do it the same way. (I did not make an effort >> to remove the depe

Re: Problem with ssl and psql in Postgresql 13

2020-12-30 Thread Stephen Frost
Greetings, First, thanks a lot for working on all of this and improving things! * Tom Lane (t...@sss.pgh.pa.us) wrote: > I've got one last complaint about the backend GSS code: we are doing > things randomly differently in the two places that install > krb_server_keyfile as the active KRB5_KTNAME

Re: Problem with ssl and psql in Postgresql 13

2020-12-29 Thread Tom Lane
I've got one last complaint about the backend GSS code: we are doing things randomly differently in the two places that install krb_server_keyfile as the active KRB5_KTNAME value. secure_open_gssapi() sets KRB5_KTNAME unconditionally (and doesn't bother to check for error, either, not a good thing

Re: SV: Problem with ssl and psql in Postgresql 13

2020-12-29 Thread Tom Lane
Svensson Peter writes: > Yes, libpq patch solved our problem. Thanks for confirming! I've pushed that patch and the server-side fixes, so it'll be in February's releases. regards, tom lane

SV: Problem with ssl and psql in Postgresql 13

2020-12-29 Thread Svensson Peter
est regards, Peter Svensson, SMHI Från: Tom Lane Skickat: den 26 december 2020 23:06 Till: Stephen Frost Kopia: Gustavsson Mikael; Magnus Hagander; Kyotaro Horiguchi; pgsql-gene...@postgresql.org; Svensson Peter Ämne: Re: Problem with ssl and psql in Postgresql 13

Re: Problem with ssl and psql in Postgresql 13

2020-12-27 Thread Tom Lane
Here's a more complete patchset. 0001 is the same libpq fixes I posted before. 0002 fixes a collection of random server-side issues, including: * The GSS encryption code figured it could just ereport(ERROR) or ereport(FATAL) for unrecoverable errors. This seems entirely unsafe, because elog.c w

Re: Problem with ssl and psql in Postgresql 13

2020-12-26 Thread Tom Lane
Here's a draft patch for the libpq-side issues. The core of the fix is to get rid of pqsecure_open_gss's clearing of allow_ssl_try, and instead check whether GSS encryption is already enabled before we try to enable SSL. While I was at it I also fixed the places where we drop an attempted GSS con

Re: Problem with ssl and psql in Postgresql 13

2020-12-26 Thread Tom Lane
I wrote: > So this directly explains the original report: if the only applicable > pg_hba.conf entry is "hostssl", right here is where libpq will see > that error, and it will go around and fail again because the next > try uses neither GSS nor SSL. > However, in the tests Mikael ran after backing

Re: Problem with ssl and psql in Postgresql 13

2020-12-24 Thread Kyotaro Horiguchi
At Thu, 24 Dec 2020 11:54:32 -0500, Tom Lane wrote in > I wrote: > > Kyotaro Horiguchi writes: > >> The attached the first patch does that. > > > +1, it seems like a clear oversight that the GSSENC patches didn't adjust > > these messages. The reason SSL state is mentioned is that it's relevan

Re: Problem with ssl and psql in Postgresql 13

2020-12-24 Thread Tom Lane
I wrote: > Kyotaro Horiguchi writes: >> The attached the first patch does that. > +1, it seems like a clear oversight that the GSSENC patches didn't adjust > these messages. The reason SSL state is mentioned is that it's relevant > to which pg_hba entry gets chosen; and once we invented "hostgss

Re: Problem with ssl and psql in Postgresql 13

2020-12-23 Thread Tom Lane
Kyotaro Horiguchi writes: > At Wed, 23 Dec 2020 17:34:05 -0500, Tom Lane wrote in >> However, in the tests Mikael ran after backing that pg_hba.conf entry >> off to just "host", pg_hba wouldn't have caused an authentication-stage >> failure, so it's not so clear why we'd have looped back at this

Re: Problem with ssl and psql in Postgresql 13

2020-12-23 Thread Kyotaro Horiguchi
At Wed, 23 Dec 2020 17:34:05 -0500, Tom Lane wrote in > Oh ... wait a second. I've just managed to partially reproduce this > report. Assume that we have a working Kerberos environment on both If I kninit'ed and pg_hba.conf doesn't have a hostgssenc line and has a hostssl line, I got the follo

Re: Problem with ssl and psql in Postgresql 13

2020-12-23 Thread Tom Lane
Oh ... wait a second. I've just managed to partially reproduce this report. Assume that we have a working Kerberos environment on both ends. Then libpq will establish a connection with GSS encryption and continue on with the usual PG authentication exchange. If that part fails, then this logic

Re: Problem with ssl and psql in Postgresql 13

2020-12-23 Thread Tom Lane
Stephen Frost writes: > * Tom Lane (t...@sss.pgh.pa.us) wrote: >> In the meantime, I did spot a code path that would explain the symptoms: >> pqsecure_open_gss() clears allow_ssl_try sooner than it oughta. If >> gss_wrap_size_limit() failed for some reason, we'd abandon the GSS >> connection and

Re: Problem with ssl and psql in Postgresql 13

2020-12-23 Thread Stephen Frost
Greetings, * Tom Lane (t...@sss.pgh.pa.us) wrote: > Stephen Frost writes: > > * Tom Lane (t...@sss.pgh.pa.us) wrote: > >> However: it is true (and undocumented, so we have at least a docs bug > >> to fix) that v12-and-later libpq will try for GSS encryption first, > >> and if it succeeds then it

Re: Problem with ssl and psql in Postgresql 13

2020-12-23 Thread Tom Lane
Stephen Frost writes: > * Tom Lane (t...@sss.pgh.pa.us) wrote: >> However: it is true (and undocumented, so we have at least a docs bug >> to fix) that v12-and-later libpq will try for GSS encryption first, >> and if it succeeds then it will not consider using SSL, regardless of >> sslmode. So ab

Re: Problem with ssl and psql in Postgresql 13

2020-12-23 Thread Stephen Frost
Greetings, * Tom Lane (t...@sss.pgh.pa.us) wrote: > I wrote: > > Gustavsson Mikael writes: > >> So if i set gssencmode=disable on my pgsql-13 to postgres 13 server > >> connection i get an SSL connection. > > > It looks like, if there is a credentials cache and gssencmode isn't > > explicitly d

Re: SV: SV: SV: SV: Problem with ssl and psql in Postgresql 13

2020-12-23 Thread Tom Lane
I wrote: > Gustavsson Mikael writes: >> So if i set gssencmode=disable on my pgsql-13 to postgres 13 server >> connection i get an SSL connection. > It looks like, if there is a credentials cache and gssencmode isn't > explicitly disabled, we try GSS first. If the server refuses that: > ... > t

Re: SV: SV: SV: SV: Problem with ssl and psql in Postgresql 13

2020-12-23 Thread Tom Lane
Gustavsson Mikael writes: > I did a final test before logging out for Christmas because i found a thread > in hackers discussing some issue with GSS and SSL. > So if i set gssencmode=disable on my pgsql-13 to postgres 13 server > connection i get an SSL connection. Oooh ... that's the missing i

SV: SV: SV: SV: Problem with ssl and psql in Postgresql 13

2020-12-23 Thread Gustavsson Mikael
__ Från: externaly-forwar...@smhi.se för Gustavsson Mikael Skickat: den 22 december 2020 09:07:17 Till: Tom Lane Kopia: Magnus Hagander; Kyotaro Horiguchi; pgsql-gene...@postgresql.org; Svensson Peter Ämne: SV: SV: SV: SV: Problem with ssl and psql in Postgresql 13 Hi, Yes it´

SV: SV: SV: SV: Problem with ssl and psql in Postgresql 13

2020-12-22 Thread Gustavsson Mikael
Jul as we say in Sweden. KR Mikael Gustavsson, SMHI Från: Tom Lane Skickat: den 18 december 2020 21:02:50 Till: Gustavsson Mikael Kopia: Magnus Hagander; Kyotaro Horiguchi; pgsql-gene...@postgresql.org; Svensson Peter Ämne: Re: SV: SV: SV: Problem with ssl and

Re: SV: SV: SV: Problem with ssl and psql in Postgresql 13

2020-12-18 Thread Tom Lane
Gustavsson Mikael writes: > pgsql-13 with require: > $ /usr/pgsql-13/bin/psql "dbname=postgres user=kalle host=server > sslmode=require" > Password for user kalle: > psql (13.1) > Type "help" for help. That is just bizarre. libpq should not ignore the sslmode=require option like that, unless it

SV: SV: SV: Problem with ssl and psql in Postgresql 13

2020-12-18 Thread Gustavsson Mikael
för Gustavsson Mikael Skickat: den 17 december 2020 17:33:13 Till: Tom Lane Kopia: Magnus Hagander; Kyotaro Horiguchi; pgsql-gene...@postgresql.org; Svensson Peter Ämne: SV: SV: SV: Problem with ssl and psql in Postgresql 13 Here is the result. ldd /usr/pgsql-13/bin/psql linux-vdso.so.1 (

SV: SV: SV: Problem with ssl and psql in Postgresql 13

2020-12-17 Thread Gustavsson Mikael
___ Från: Tom Lane Skickat: den 17 december 2020 17:25:31 Till: Gustavsson Mikael Kopia: Magnus Hagander; Kyotaro Horiguchi; pgsql-gene...@postgresql.org; Svensson Peter Ämne: Re: SV: SV: Problem with ssl and psql in Postgresql 13 Gustavsson Mikael writes: > $ /usr/pgsql-13/bin/ps

Re: SV: SV: Problem with ssl and psql in Postgresql 13

2020-12-17 Thread Tom Lane
Gustavsson Mikael writes: > $ /usr/pgsql-13/bin/psql "dbname=postgres user=kalle host=server > sslmode=require" > psql: error: FATAL: no pg_hba.conf entry for host "nn.nnn.n.nnn", user > "kalle", database "postgres", SSL off > FATAL: no pg_hba.conf entry for host "nn.nnn.n.nnn", user "kalle",

SV: SV: Problem with ssl and psql in Postgresql 13

2020-12-17 Thread Gustavsson Mikael
off > > KR Mikael Gustavsson, SMHI > > > ________ > Från: Magnus Hagander > Skickat: den 17 december 2020 15:52:55 > Till: Gustavsson Mikael > Kopia: Tom Lane; Kyotaro Horiguchi; pgsql-gene...@postgresql.org; Svensson > Peter > Ämne: Re: SV: Probl

Re: SV: Problem with ssl and psql in Postgresql 13

2020-12-17 Thread Magnus Hagander
_ > Från: Magnus Hagander > Skickat: den 17 december 2020 15:52:55 > Till: Gustavsson Mikael > Kopia: Tom Lane; Kyotaro Horiguchi; pgsql-gene...@postgresql.org; Svensson > Peter > Ämne: Re: SV: Problem with ssl and psql in Postgresql 13 > > On Thu, Dec 17, 2020 a

SV: SV: Problem with ssl and psql in Postgresql 13

2020-12-17 Thread Gustavsson Mikael
5 Till: Gustavsson Mikael Kopia: Tom Lane; Kyotaro Horiguchi; pgsql-gene...@postgresql.org; Svensson Peter Ämne: Re: SV: Problem with ssl and psql in Postgresql 13 On Thu, Dec 17, 2020 at 3:36 PM Gustavsson Mikael wrote: > > > Hi, > > log_connections is on. The ERR message is correct

Re: SV: Problem with ssl and psql in Postgresql 13

2020-12-17 Thread Magnus Hagander
On Thu, Dec 17, 2020 at 3:36 PM Gustavsson Mikael wrote: > > > Hi, > > log_connections is on. The ERR message is correct, we do not have an entry > for SSL off. > The question is why psql(13) is trying to connect without ssl? > > 2020-12-17T14:25:09.565566+00:00 server INFO [30-1] pgpid=2422778

SV: SV: Problem with ssl and psql in Postgresql 13

2020-12-17 Thread Gustavsson Mikael
gres", SSL off KR Mikael Gustavsson, SMHI Från: Tom Lane Skickat: den 17 december 2020 15:20:01 Till: Gustavsson Mikael Kopia: Kyotaro Horiguchi; pgsql-gene...@postgresql.org; Svensson Peter Ämne: Re: SV: Problem with ssl and psql in Postgresql 13 Gustavsson Mikael

Re: SV: Problem with ssl and psql in Postgresql 13

2020-12-17 Thread Tom Lane
Gustavsson Mikael writes: > Clarification, its the same postgresql13 server. I just connect with > different psql-clients. Perhaps turning on log_connections on the server would offer some insight. It sort of looks like the v13 client is trying to connect with SSL, failing for some unknown reas

SV: Problem with ssl and psql in Postgresql 13

2020-12-17 Thread Gustavsson Mikael
different psql-clients. KR Från: Kyotaro Horiguchi Skickat: den 17 december 2020 09:29:38 Till: Gustavsson Mikael Kopia: pgsql-gene...@postgresql.org; Svensson Peter Ämne: Re: Problem with ssl and psql in Postgresql 13 Hi. At Thu, 17 Dec 2020 07:21:08 +, Gustavsson Mikael w

Re: Problem with ssl and psql in Postgresql 13

2020-12-17 Thread Kyotaro Horiguchi
Hi. At Thu, 17 Dec 2020 07:21:08 +, Gustavsson Mikael wrote in > But not from psql 13: > $ /usr/pgsql-13/bin/psql -d postgres -Ukalle -hserver -W > Password: > psql: error: FATAL: no pg_hba.conf entry for host "nnn.nn.n.nnn", user > "kalle", database "postgres", SSL off > FATAL: no pg_hb

Problem with ssl and psql in Postgresql 13

2020-12-16 Thread Gustavsson Mikael
Hi, We are starting our journey to migrate from Postgresql 11 to Postgresql 13 and have run into a problem. The postgresql 13 version of psql don´t seem to work with ssl. We use the community built rpms on redhat 8.3: $ rpm -q postgresql11 postgresql11-11.10-1PGDG.rhel8.x86_64 $ rpm -q postgres