Re: pg13 psql can't connect pg instance with ssl enabled after upgrading

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Thanks Tom.  you are right, we are using GSS authentication. and psql version is 13.1
postgresql_13_1/bin/psql --version
psql (PostgreSQL) 13.1

and if I don't enforce ssl connection in pg_hba.conf file(don't use hostssl, and use host), pg13 psql could connect
postgresql_13_1/bin/psql "sslmode=require host=xxxxx dbname=postgres"
psql (13.1)
GSSAPI-encrypted connection
Type "help" for help.

pg13 psql can also login with ssl connection on pg11 instance
postgresql_13_1/bin/psql "sslmode=require host=bbbbbbb dbname=postgres"
psql (13.1, server 11.8)
SSL connection (protocol: TLSv1.2, cipher: ECDHE-RSA-AES256-GCM-SHA384, bits: 256, compression: off)
Type "help" for help.

and pg11 psql can also login pg13 instance with ssl enabled
public_postgresql_11_8/bin/psql "sslmode=require host=xxxxxx dbname=postgres"
psql (11.8, server 13.1)
WARNING: psql major version 11, server major version 13.
         Some psql features might not work.
SSL connection (protocol: TLSv1.2, cipher: ECDHE-RSA-AES256-GCM-SHA384, bits: 256, compression: off)
Type "help" for help.

only pg13 psql doesn't work with pg13 instance with ssl enabled.......
shall I try pg13.2 first? 

thanks,
James



From: Tom Lane <tgl@xxxxxxxxxxxxx>
Sent: Friday, February 12, 2021 16:50
To: jian xu <jamesxu@xxxxxxxxxxx>
Cc: pgsql-admin <pgsql-admin@xxxxxxxxxxxxxx>
Subject: Re: pg13 psql can't connect pg instance with ssl enabled after upgrading
 
jian xu <jamesxu@xxxxxxxxxxx> writes:
> the instance didn't have ssl enabled, we upgraded it to pg13, then enabled ssl, however when we try to login with pg13 psql 13, psql  always try ssl=off to login
> public_postgresql_13_1/bin/psql "sslmode=require host=xxxxxx dbname=postgres"
> psql: error: FATAL:  no pg_hba.conf entry for host "xxxxx", user "xxxx", database "postgres", SSL off

Are you entirely sure that that version of psql (or more accurately,
the libpq it's linked to) was built with SSL support?

If you are in an environment where GSS encryption is possible, it
could also be that you're being bit by the recently-fixed bug that
libpq didn't fall back from GSS to SSL encryption correctly [1].
That seems unlikely though, as both client and server would need to
possess active Kerberos tickets.

                        regards, tom lane

[1] https://git.postgresql.org/gitweb/?p=postgresql.git&a=commitdiff&h=06b844c2b
[Index of Archives]     [KVM ARM]     [KVM ia64]     [KVM ppc]     [Virtualization Tools]     [Spice Development]     [Libvirt]     [Libvirt Users]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite Questions]     [Linux Kernel]     [Linux SCSI]     [XFree86]

  Powered by Linux