Thread: Can we improve this error message?
Here's an interesting scenario I happened across recently. If you have a single line in the pg_hba.conf: hostssl all all 0.0.0.0/0 md5 Attempting to log in with an incorrect password results in an error message about there not being a pg_hba.conf entry for the user. Reading carefully, the error message states that there's no pg_hba.conf for the user with **ssl off**. What I believe is happening, is that the pg connection libs first try to connect via ssl and get a password failed error, then fallback to trying to connect without ssl, and get a "no pg_hba.conf entry" error. The problem is that the second error masks the first one, hiding the real cause of the connection failure, and causing a lot of confusion. If we could keep both errors and report them both, I feel like it would be an improvement to our client library behavior. -- Bill Moran
On 04/17/2016 09:28 PM, Bill Moran wrote: > If you have a single line in the pg_hba.conf: > > hostssl all all 0.0.0.0/0 md5 > > Attempting to log in with an incorrect password results in an > error message about there not being a pg_hba.conf entry for the > user. > > Reading carefully, the error message states that there's no > pg_hba.conf for the user with **ssl off**. > > What I believe is happening, is that the pg connection libs > first try to connect via ssl and get a password failed error, > then fallback to trying to connect without ssl, and get a "no > pg_hba.conf entry" error. The problem is that the second error > masks the first one, hiding the real cause of the connection > failure, and causing a lot of confusion. > > If we could keep both errors and report them both, I feel like > it would be an improvement to our client library behavior. I got both the messages when I tried this with psql. What did you do when you only got the second message? Output: psql: FATAL: password authentication failed for user "andreas" FATAL: no pg_hba.conf entry for host "127.0.0.1", user "andreas", database "postgres", SSL off Andreas
Andreas Karlsson <andreas@proxel.se> writes: > On 04/17/2016 09:28 PM, Bill Moran wrote: >> What I believe is happening, is that the pg connection libs >> first try to connect via ssl and get a password failed error, >> then fallback to trying to connect without ssl, and get a "no >> pg_hba.conf entry" error. The problem is that the second error >> masks the first one, hiding the real cause of the connection >> failure, and causing a lot of confusion. > I got both the messages when I tried this with psql. What did you do > when you only got the second message? Maybe Bill tried it with a rather old libpq? This rings a bell as being something we fixed awhile back. regards, tom lane
<p dir="ltr"><br /> On Apr 26, 2016 4:41 AM, "Tom Lane" <<a href="mailto:tgl@sss.pgh.pa.us">tgl@sss.pgh.pa.us</a>>wrote:<br /> ><br /> > Andreas Karlsson <<a href="mailto:andreas@proxel.se">andreas@proxel.se</a>>writes:<br /> > > On 04/17/2016 09:28 PM, Bill Moran wrote:<br/> > >> What I believe is happening, is that the pg connection libs<br /> > >> first try to connectvia ssl and get a password failed error,<br /> > >> then fallback to trying to connect without ssl, and geta "no<br /> > >> pg_hba.conf entry" error. The problem is that the second error<br /> > >> masks thefirst one, hiding the real cause of the connection<br /> > >> failure, and causing a lot of confusion.<br />><br /> > > I got both the messages when I tried this with psql. What did you do<br /> > > when you onlygot the second message?<br /> ><br /> > Maybe Bill tried it with a rather old libpq? This rings a bell<br /> >as being something we fixed awhile back.<br /> ><p dir="ltr">Yeah, libpq used to keep just one error message. Iirc,this was changed quite long ago though, but I guess if it's a really old libpq.. <p dir="ltr">/Magnus