Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit5c9f35f

Browse files
committed
Fix documentation and comments on what happens after GSS rejection
The paragraph in the docs and the comment applied tosslnegotiaton=direct, but not sslnegotiation=requiredirect. In'requiredirect' mode, negotiated SSL is never used. Move the paragraphin the docs under the description of 'direct' mode, and rephrase it.Also the comment's reference to reusing a plaintext connection wasbogus. Authentication failure in plaintext mode only happens aftersending the startup packet, so the connection cannot be reused.Reported-by: Jacob ChampionDiscussion:https://www.postgresql.org/message-id/CAOYmi+=sj+1uydS0NR4nYzw-LRWp3Q-s5speBug5UCLSPMbvGA@mail.gmail.com
1 parent42b0412 commit5c9f35f

File tree

2 files changed

+15
-15
lines changed

2 files changed

+15
-15
lines changed

‎doc/src/sgml/libpq.sgml

Lines changed: 9 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -1803,6 +1803,15 @@ postgresql://%2Fvar%2Flib%2Fpostgresql/dbname
18031803
process adds significant latency if the initial SSL connection
18041804
fails.
18051805
</para>
1806+
<para>
1807+
An exception is if <literal>gssencmode</literal> is set
1808+
to <literal>prefer</literal>, but the server rejects GSS encryption.
1809+
In that case, SSL is negotiated over the same TCP connection using
1810+
<productname>PostgreSQL</productname> protocol negotiation. In
1811+
other words, the direct SSL handshake is not used, if a TCP
1812+
connection has already been established and can be used for the
1813+
SSL handshake.
1814+
</para>
18061815
</listitem>
18071816
</varlistentry>
18081817

@@ -1816,16 +1825,6 @@ postgresql://%2Fvar%2Flib%2Fpostgresql/dbname
18161825
</listitem>
18171826
</varlistentry>
18181827
</variablelist>
1819-
1820-
<para>
1821-
Note that if <literal>gssencmode</literal> is set
1822-
to <literal>prefer</literal>, a <acronym>GSS</acronym> connection is
1823-
attempted first. If the server rejects GSS encryption, SSL is
1824-
negotiated over the same TCP connection using the traditional postgres
1825-
protocol, regardless of <literal>sslnegotiation</literal>. In other
1826-
words, the direct SSL handshake is not used, if a TCP connection has
1827-
already been established and can be used for the SSL handshake.
1828-
</para>
18291828
</listitem>
18301829
</varlistentry>
18311830

‎src/interfaces/libpq/fe-connect.c

Lines changed: 6 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -4430,11 +4430,12 @@ select_next_encryption_method(PGconn *conn, bool have_valid_connection)
44304430

44314431
/*
44324432
* If enabled, try direct SSL. Unless we have a valid TCP connection that
4433-
* failed negotiating GSSAPI encryption or a plaintext connection in case
4434-
* of sslmode='allow'; in that case we prefer to reuse the connection with
4435-
* negotiated SSL, instead of reconnecting to do direct SSL. The point of
4436-
* direct SSL is to avoid the roundtrip from the negotiation, but
4437-
* reconnecting would also incur a roundtrip.
4433+
* failed negotiating GSSAPI encryption; in that case we prefer to reuse
4434+
* the connection with negotiated SSL, instead of reconnecting to do
4435+
* direct SSL. The point of sslnegotiation=direct is to avoid the
4436+
* roundtrip from the negotiation, but reconnecting would also incur a
4437+
* roundtrip. (In sslnegotiation=requiredirect mode, negotiated SSL is not
4438+
* in the list of allowed methods and we will reconnect.)
44384439
*/
44394440
if (have_valid_connection)
44404441
SELECT_NEXT_METHOD(ENC_NEGOTIATED_SSL);

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp