At Thu, 24 Dec 2020 11:54:32 -0500, Tom Lane <tgl@xxxxxxxxxxxxx> wrote in > I wrote: > > Kyotaro Horiguchi <horikyota.ntt@xxxxxxxxx> writes: > >> The attached the first patch does that. > > > +1, it seems like a clear oversight that the GSSENC patches didn't adjust > > these messages. The reason SSL state is mentioned is that it's relevant > > to which pg_hba entry gets chosen; and once we invented "hostgssenc" > > entries, GSSENC state is also relevant. > > Thinking a little more about that: there are not four distinct states, > because GSS and SSL can't both be enabled (ProcessStartupPacket enforces > that). So I propose that instead of adding a new field, we make the > existing field say one of three things: "GSS encryption", "SSL > encryption", or "no encryption". As per attached. In the back branches, > it might be best to spell these as "GSS encryption", "SSL on", and "SSL > off", just to minimize the cosmetic change. Looks good to me. I tried the same case where - did kinit - pg_hba has hostssl line only I saw the following lines in server log, which seems good. FATAL: no pg_hba.conf entry for host "192.168.56.101", user "horiguti@xxxxxxxxxxxx", database "postgres", GSS encryption FATAL: no pg_hba.conf entry for host "192.168.56.101", user "horiguti@xxxxxxxxxxxx", database "postgres", no encryption regards. -- Kyotaro Horiguchi NTT Open Source Software Center
