Re: Question about error message in auth.c - Mailing list pgsql-hackers

From Michael Paquier
Subject Re: Question about error message in auth.c
Date
Msg-id ZG6oppOMgMYijaG8@paquier.xyz
Whole thread Raw
In response to Question about error message in auth.c  (Dave Cramer <davecramer@gmail.com>)
List pgsql-hackers
On Wed, May 24, 2023 at 02:12:23PM -0400, Dave Cramer wrote:
> The last piece of information is the encryption state. However when an SSL
> connection fails to authenticate the state is not encrypted.
>
> When would it ever be encrypted if authentication fails ?

I am not sure to follow.  Under a SSL connection things should be
encrypted.  Or perhaps that's something related to hostssl and/or
hostnossl?

Back to the point, the SSL handshake happens before any authentication
attempt and any HBA resolution, so a connection could be encrypted
before authentication gets rejected.  The error path you are pointing
at would happen after the SSL handshake is done.  For instance, take
an HBA entry like that:
# TYPE  DATABASE    USER       ADDRESS             METHOD
host    all         all        127.0.0.1/32        reject

Then, attempting a connection with sslmode=prefer, one can see the
difference:
$ psql -h 127.0.0.1 -d postgres -U postgres
psql: error: connection to server at "127.0.0.1", port 5432 failed:
FATAL:  pg_hba.conf rejects connection for host "127.0.0.1", user
"postgres", database "postgres", SSL encryption
connection to server at "127.0.0.1", port 5432 failed: FATAL:
pg_hba.conf rejects connection for host "127.0.0.1", user "postgres",
database "postgres", no encryption
--
Michael

Attachment

pgsql-hackers by date:

Previous
From: Thomas Munro
Date:
Subject: Re: Proposal: Removing 32 bit support starting from PG17++
Next
From: Tom Lane
Date:
Subject: Re: Proposal: Removing 32 bit support starting from PG17++