At Thu, 24 Dec 2020 11:54:32 -0500, Tom Lane <tgl@sss.pgh.pa.us> wrote in
> I wrote:
> > Kyotaro Horiguchi <horikyota.ntt@gmail.com> writes:
> >> The attached the first patch does that.
>
> > +1, it seems like a clear oversight that the GSSENC patches didn't adjust
> > these messages. The reason SSL state is mentioned is that it's relevant
> > to which pg_hba entry gets chosen; and once we invented "hostgssenc"
> > entries, GSSENC state is also relevant.
>
> Thinking a little more about that: there are not four distinct states,
> because GSS and SSL can't both be enabled (ProcessStartupPacket enforces
> that). So I propose that instead of adding a new field, we make the
> existing field say one of three things: "GSS encryption", "SSL
> encryption", or "no encryption". As per attached. In the back branches,
> it might be best to spell these as "GSS encryption", "SSL on", and "SSL
> off", just to minimize the cosmetic change.
Looks good to me.
I tried the same case where
- did kinit
- pg_hba has hostssl line only
I saw the following lines in server log, which seems good.
FATAL: no pg_hba.conf entry for host "192.168.56.101", user "horiguti@MYDOMAIN.COM", database "postgres", GSS
encryption
FATAL: no pg_hba.conf entry for host "192.168.56.101", user "horiguti@MYDOMAIN.COM", database "postgres", no
encryption
regards.
--
Kyotaro Horiguchi
NTT Open Source Software Center
