Summary: The TLS behavior of psql changed between 16.3 and 16.4 as shown below. If this is a bug, I kindly ask to fix it. If this is intended behavior, I kindly as for a link with instructions how to work around the problem.
Server:
I am running the official PostgreSQL 17.2 Docker Container (https://hub.docker.com/layers/library/postgres/17.2/images/sha256-c063081175f45f4a3a5ac03c234e060e67618ebe75b49e2a7ffb79f8357bd1e6) proxied by a TLSv1.3 proxy (official Traefik 3.2.3 Docker Container https://hub.docker.com/layers/library/traefik/v3.2.3/images/sha256-06966a9ba1747ad724a490b8f27df1434c64e8eee5d681df03c4761c9653f62c). Traefik utilizes ACME with Let's Encrypt to produce the TLS certificate.
I have neither reconfigured TLS in any other way, nor have I manually provided TLS certificates to neither client nor server.
Client:
Using the official PostgresSQL Docker Container (16.3 vs 16.4+), I am asking psql to connect to my server. While psql 16.3 and earlier versions successfully connect via the TLS proxy to the PostgreSQL server, psql 16.4 and later versions fail doing so:
root@hetzner-2:~# docker run -it postgres:16.3 psql "host=headcrashing.eu port=5432 dbname=postgres user=postgres password=... sslmode=require"
psql (16.3 (Debian 16.3-1.pgdg120+1), server 17.2 (Debian 17.2-1.pgdg120+1))
WARNING: psql major version 16, server major version 17. Some psql features might not work.
SSL connection (protocol: TLSv1.3, cipher: TLS_AES_128_GCM_SHA256, compression: off)
Type "help" for help.
postgres=# \q
root@hetzner-2:~# docker run -it postgres:16.4 psql "host=headcrashing.eu port=5432 dbname=postgres user=postgres password=... sslmode=require"
psql: error: connection to server at "headcrashing.eu" (49.13.53.107), port 5432 failed: SSL error: tlsv1 alert no application protocol
Public Test Environment
Feel free to connect to my personal PostgreSQL 17 instance running at postgres.headcrashing.eu:5432 (TLS required).
With kind regards
-Markus
