Thread: BUG #18095: Unintended non-SSL connection attempt by psql cli command after a failed password authentication

The following bug has been logged on the website:

Bug reference:      18095
Logged by:          Youssef TOURKI
Email address:      ytourki@ext.scaleway.com
PostgreSQL version: 14.9
Operating system:   Ubuntu 22
Description:

The bug is related to the psql client (cli)  

When connecting to a PostgreSQL server (version 14) configured to only
accept SSL connections, if a user provides an incorrect password, the psql
client (version 14) returns two error messages in succession. The first
message correctly indicates a password authentication failure, but the
second suggests an unexpected non-SSL connection attempt.

Steps to Reproduce:

Configure the PostgreSQL server to accept only SSL connections.
Use the psql client to connect to the server, intentionally providing an
incorrect password.
Observe the error messages returned.
Expected Behavior:

Upon providing an incorrect password, the user should receive a single error
message related to the authentication failure. The client should not attempt
a non-SSL connection, especially given that the server is configured to only
accept SSL.

Actual Behavior:

Two error messages are displayed in the following order:

psql: error: connection to server at "172.17.0.4", port 5432 failed: FATAL:
password authentication failed for user "postgres"
connection to server at "172.17.0.4", port 5432 failed: FATAL: no
pg_hba.conf entry for host "172.17.0.1", user "postgres", database
"postgres", no encryption

The second message indicates an unexpected non-SSL connection attempt by the
psql client after the initial authentication failure.

Environment:

PostgreSQL Server Version: 14
psql Client Version: 14


PG Bug reporting form <noreply@postgresql.org> writes:
> When connecting to a PostgreSQL server (version 14) configured to only
> accept SSL connections, if a user provides an incorrect password, the psql
> client (version 14) returns two error messages in succession. The first
> message correctly indicates a password authentication failure, but the
> second suggests an unexpected non-SSL connection attempt.

This is libpq's (not psql's) default behavior.  If you don't like it,
you need to set the sslmode parameter in the connection string to prevent
non-SSL connection attempts.  See

https://www.postgresql.org/docs/current/libpq-ssl.html#LIBPQ-SSL-SSLMODE-STATEMENTS

            regards, tom lane



On Thu, 2023-09-07 at 16:44 +0000, PG Bug reporting form wrote:
> Bug reference:      18095
> Logged by:          Youssef TOURKI
> Email address:      ytourki@ext.scaleway.com
> PostgreSQL version: 14.9
> Operating system:   Ubuntu 22
> Description:       
>
> The bug is related to the psql client (cli) 
>
> When connecting to a PostgreSQL server (version 14) configured to only
> accept SSL connections, if a user provides an incorrect password, the psql
> client (version 14) returns two error messages in succession. The first
> message correctly indicates a password authentication failure, but the
> second suggests an unexpected non-SSL connection attempt.
>
> Steps to Reproduce:
>
> Configure the PostgreSQL server to accept only SSL connections.
> Use the psql client to connect to the server, intentionally providing an
> incorrect password.
> Observe the error messages returned.
> Expected Behavior:
>
> Upon providing an incorrect password, the user should receive a single error
> message related to the authentication failure. The client should not attempt
> a non-SSL connection, especially given that the server is configured to only
> accept SSL.
>
> Actual Behavior:
>
> Two error messages are displayed

This is no bug; it is working as designed and as documented; see
https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNECT-SSLMODE

The default SSL mode is "prefer": the first attempt is an encrypted connection,
if that fails, an unencrypted connection is tried.

To change that, you have to configure the client appropriately:

  psql "host=... port=... user=... dbname=... password=... sslmode=require"

Alternatively, set the environment variable PGSSLMODE to "require".

Yours,
Laurenz Albe