Thread: Question about error message in auth.c

Question about error message in auth.c

From

Dave Cramer

Date:

24 May 2023, 21:12:23

Greetings,

In https://github.com/postgres/postgres/blob/5c2c59ba0b5f723b067a6fa8bf8452d41fbb2125/src/backend/libpq/auth.c#L463

The last piece of information is the encryption state. However when an SSL connection fails to authenticate the state is not encrypted.

When would it ever be encrypted if authentication fails ?

Dave Cramer

Re: Question about error message in auth.c

From

Michael Paquier

Date:

25 May 2023, 03:15:34

On Wed, May 24, 2023 at 02:12:23PM -0400, Dave Cramer wrote:
> The last piece of information is the encryption state. However when an SSL
> connection fails to authenticate the state is not encrypted.
>
> When would it ever be encrypted if authentication fails ?

I am not sure to follow.  Under a SSL connection things should be
encrypted.  Or perhaps that's something related to hostssl and/or
hostnossl?

Back to the point, the SSL handshake happens before any authentication
attempt and any HBA resolution, so a connection could be encrypted
before authentication gets rejected.  The error path you are pointing
at would happen after the SSL handshake is done.  For instance, take
an HBA entry like that:
# TYPE  DATABASE    USER       ADDRESS             METHOD
host    all         all        127.0.0.1/32        reject

Then, attempting a connection with sslmode=prefer, one can see the
difference:
$ psql -h 127.0.0.1 -d postgres -U postgres
psql: error: connection to server at "127.0.0.1", port 5432 failed:
FATAL:  pg_hba.conf rejects connection for host "127.0.0.1", user
"postgres", database "postgres", SSL encryption
connection to server at "127.0.0.1", port 5432 failed: FATAL:
pg_hba.conf rejects connection for host "127.0.0.1", user "postgres",
database "postgres", no encryption
--
Michael

Attachment

signature.asc