Re: Protocol problem with GSSAPI encryption?
| От | Bruce Momjian |
|---|---|
| Тема | Re: Protocol problem with GSSAPI encryption? |
| Дата | |
| Msg-id | 20191220181627.GF29807@momjian.us обсуждение исходный текст |
| Ответ на | Re: Protocol problem with GSSAPI encryption? (Andrew Gierth <andrew@tao11.riddles.org.uk>) |
| Список | pgsql-hackers |
On Fri, Dec 20, 2019 at 06:14:09PM +0000, Andrew Gierth wrote: > >>>>> "Bruce" == Bruce Momjian <bruce@momjian.us> writes: > > >> This came up recently on IRC, not sure if the report there was > >> passed on at all. > >> > >> ProcessStartupPacket assumes that there will be only one negotiation > >> request for an encrypted connection, but libpq is capable of issuing > >> two: it will ask for GSS encryption first, if it looks like it will > >> be able to do GSSAPI, and if the server refuses that it will ask (on > >> the same connection) for SSL. > > Bruce> Are you saying that there is an additional round-trip for > Bruce> starting all SSL connections because we now support GSSAPI, or > Bruce> this only happens if libpq asks for GSSAPI? > > The problem only occurs if libpq thinks it might be able to do GSSAPI, > but the server does not. Without the patch I proposed or something like > it, this case fails to connect at all; with it, there will be an extra > round-trip. Explicitly disabling GSSAPI encryption in the connection > string or environment avoids the issue. > > The exact condition for libpq seems to be a successful call to > gss_acquire_cred, but I'm not familiar with GSS in general. Thanks for the clarification from you and Stephen. -- Bruce Momjian <bruce@momjian.us> http://momjian.us EnterpriseDB http://enterprisedb.com + As you are, so once was I. As I am, so you will be. + + Ancient Roman grave inscription +
В списке pgsql-hackers по дате отправления: