Here's a draft patch for the libpq-side issues. The core of the
fix is to get rid of pqsecure_open_gss's clearing of allow_ssl_try,
and instead check whether GSS encryption is already enabled before
we try to enable SSL. While I was at it I also fixed the places
where we drop an attempted GSS connection: they should set
need_new_connection = true rather than incompletely doing it for
themselves. Notably that coding misses resetting auth_req_received
and password_needed; the consequences of that are minor but not zero.
There are things to fix on the server side, and the documentation
needs work, but this should be enough to solve Mikael's problem
if he's in a position to apply the patch locally.
regards, tom lane
diff --git a/src/interfaces/libpq/fe-connect.c b/src/interfaces/libpq/fe-connect.c
index 7d04d3664e..ec7c4c5e87 100644
--- a/src/interfaces/libpq/fe-connect.c
+++ b/src/interfaces/libpq/fe-connect.c
@@ -2909,11 +2909,16 @@ keep_going: /* We will come back to here until there is
#ifdef USE_SSL
/*
- * If SSL is enabled and we haven't already got it running,
- * request it instead of sending the startup message.
+ * If SSL is enabled and we haven't already got encryption of
+ * some sort running, request SSL instead of sending the
+ * startup message.
*/
if (conn->allow_ssl_try && !conn->wait_ssl_try &&
- !conn->ssl_in_use)
+ !conn->ssl_in_use
+#ifdef ENABLE_GSS
+ && !conn->gssenc
+#endif
+ )
{
ProtocolVersion pv;
@@ -3042,6 +3047,7 @@ keep_going: /* We will come back to here until there is
}
/* Otherwise, proceed with normal startup */
conn->allow_ssl_try = false;
+ /* We can proceed using this connection */
conn->status = CONNECTION_MADE;
return PGRES_POLLING_WRITING;
}
@@ -3139,8 +3145,7 @@ keep_going: /* We will come back to here until there is
* don't hang up the socket, though.
*/
conn->try_gss = false;
- pqDropConnection(conn, true);
- conn->status = CONNECTION_NEEDED;
+ need_new_connection = true;
goto keep_going;
}
@@ -3158,6 +3163,7 @@ keep_going: /* We will come back to here until there is
}
conn->try_gss = false;
+ /* We can proceed using this connection */
conn->status = CONNECTION_MADE;
return PGRES_POLLING_WRITING;
}
@@ -3186,8 +3192,7 @@ keep_going: /* We will come back to here until there is
* the current connection to do so, though.
*/
conn->try_gss = false;
- pqDropConnection(conn, true);
- conn->status = CONNECTION_NEEDED;
+ need_new_connection = true;
goto keep_going;
}
return pollres;
@@ -3354,10 +3359,9 @@ keep_going: /* We will come back to here until there is
*/
if (conn->gssenc && conn->gssencmode[0] == 'p')
{
- /* postmaster expects us to drop the connection */
+ /* only retry once */
conn->try_gss = false;
- pqDropConnection(conn, true);
- conn->status = CONNECTION_NEEDED;
+ need_new_connection = true;
goto keep_going;
}
#endif
diff --git a/src/interfaces/libpq/fe-secure-gssapi.c b/src/interfaces/libpq/fe-secure-gssapi.c
index bfc0f55214..9416306eea 100644
--- a/src/interfaces/libpq/fe-secure-gssapi.c
+++ b/src/interfaces/libpq/fe-secure-gssapi.c
@@ -647,17 +647,14 @@ pqsecure_open_gss(PGconn *conn)
if (output.length == 0)
{
/*
- * We're done - hooray! Kind of gross, but we need to disable SSL
- * here so that we don't accidentally tunnel one over the other.
+ * We're done - hooray! Set flag to tell the low-level I/O routines
+ * to do GSS wrapping/unwrapping.
*/
-#ifdef USE_SSL
- conn->allow_ssl_try = false;
-#endif
+ conn->gssenc = true;
/* Clean up */
gss_release_cred(&minor, &conn->gcred);
conn->gcred = GSS_C_NO_CREDENTIAL;
- conn->gssenc = true;
gss_release_buffer(&minor, &output);
/*
