Deal with GSSAPI encrypted connection request from frontend.

If GSSAPI connection request comes from frontend, Pgpool-II responded
in inappropriate way.  For example,

psql: error: could not connect to server: server closed the connection unexpectedly
This probably means the server terminated abnormally
before or while processing the request.

or even:
FATAL:  client authentication failed
DETAIL:  no pool_hba.conf entry for host "x.x.x.x", user "", database "", SSL off
(https://www.pgpool.net/pipermail/pgpool-general/2020-September/007353.html)

With this commit Pgpool-II responds better. i.e. replies back to
frontend with "we don't support GSSAPI" and expects that the frontend
falls back to SSL connection (if frontend's param: gssencmode=prefer
(default) and SSL is configure when Pgpool-II was built) or fals back
to non-SSL connection.

Patch by me, reviewed and tested by Umar Hayat.

diff --git a/src/protocol/child.c b/src/protocol/child.c
index 7b167cb4f325d1242d4a608509d2d8a0dc84bb40..a7e6fcd5d70827a56753978ac8174ec8eeb58d42 100644 (file)
--- a/src/protocol/child.c
+++ b/src/protocol/child.c
@@ -1906,6 +1906,20 @@ retry_startup:
                goto retry_startup;
        }
 
+       /* GSSAPI? */
+       if (sp->major == 1234 && sp->minor == 5680)
+       {
+               ereport(DEBUG1,
+                               (errmsg("selecting backend connection"),
+                                errdetail("GSSAPI request from client")));
+
+               /* sorry, Pgpool-II does not support GSSAPI yet */
+               pool_write_and_flush(frontend, "N", 1);
+
+               pool_free_startup_packet(sp);
+               goto retry_startup;
+       }
+
        frontend->protoVersion = sp->major;
        frontend->database = pstrdup(sp->database);
        frontend->username = pstrdup(sp->user);