Gustavsson Mikael <mikael.gustavsson@smhi.se> writes:
> I did a final test before logging out for Christmas because i found a thread in hackers discussing some issue with
GSSand SSL.
> So if i set gssencmode=disable on my pgsql-13 to postgres 13 server connection i get an SSL connection.
Oooh ... that's the missing ingredient. Do you have a GSS credentials
cache on the client side, but no support on the server side?
It looks like, if there is a credentials cache and gssencmode isn't
explicitly disabled, we try GSS first. If the server refuses that:
if (gss_ok == 'N')
{
/* Server doesn't want GSSAPI; fall back if we can */
if (conn->gssencmode[0] == 'r')
{
appendPQExpBufferStr(&conn->errorMessage,
libpq_gettext("server doesn't support GSSAPI encryption, but it was
required\n"));
goto error_return;
}
conn->try_gss = false;
conn->status = CONNECTION_MADE;
return PGRES_POLLING_WRITING;
}
that is, it decides the connection it has is good enough. This
is not OK if SSL should have been used.
regards, tom lane