npgsql: AuthenticateSASL with bouncer error

Hi!

After migrating to .Net 5 (maybe this is not the reason) we start having error while connecting through bouncer. If we are connecting direct to main instance AuthenticateSASL work as expected but when we are using bouncer port everything stop working at var saslFinalServerMsg = Expect<AuthenticationSASLFinalMessage>(await ReadMessage(async), this); with 08P01: SASL authentication failed error.

What can be reason for this behavior?

Thanks!

We have this error both at 5.0.1 and 5.0.2 while everything looks fine at 3.1.4 and 3.1.6

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Comments: 19 (12 by maintainers)

Most upvoted comments

The point being, this exact problem was fixed with version 1.12

+3
vonzshik on Jan 26, 2021

So the reason is in incorrect ?: operator:

if (!successfulBind && supportsSha256)
            {
                mechanism = "SCRAM-SHA-256";
                // We can get here if PostgreSQL supports only SCRAM-SHA-256 or there was an error while binding to SCRAM-SHA-256-PLUS
                // So, we set 'n' (client does not support binding) if there was an error while binding
                // or 'y' (client supports but server doesn't) in other case
                cbindFlag = supportsSha256Plus ? "n" : "y";
                cbind = supportsSha256Plus ? "biws" : "eSws";
                successfulBind = true;
                IsScram = true;
            }

it should be like

if (!successfulBind && supportsSha256)
            {
                mechanism = "SCRAM-SHA-256";
                // We can get here if PostgreSQL supports only SCRAM-SHA-256 or there was an error while binding to SCRAM-SHA-256-PLUS
                // So, we set 'n' (client does not support binding) if there was an error while binding
                // or 'y' (client supports but server doesn't) in other case
                cbindFlag = supportsSha256Plus ? "y" : "n";
                cbind = supportsSha256Plus ? "eSws" :"biws";
                successfulBind = true;
                IsScram = true;
            }

Should I create pull request to fix it?

+3
euroUK on Jan 26, 2021

So I verified code and RFC 5802 and it looks that code is perfect aligned with document.

It looks like 3.1.x versions did not implement channel binding and always provide hard coded “n”.

So I hope upgrading bouncer version will solve this problem.

@vonzshik Nikita, thank you for help!

+1
euroUK on Jan 26, 2021

Uh, I tried at some point to release a new patch version each month, but for now this duty belongs to @roji only. Therefore, there’re two options for you from our side:

  • Wait for the official release of the next patch,
  • Use our MyGet feed instead of NuGet.
+1
YohDeadfall on Jan 26, 2021

@roji sure, why not.

Note, that from PG documentation, 08P01 is protocol_violation error.

+1
vonzshik on Jan 26, 2021

Just checked https://github.com/npgsql/npgsql/commit/e88a2da745322b8fd60e320e34ca641655ec9bed commit and can’t see any problems with new code.

I will try build and debug from sources, may be I will find out where problem is.

+1
euroUK on Jan 26, 2021
Read more comments on GitHub
← efcore.pg: Where queries with casted enum value throw Can't write CLR type
npgsql: Bad timeout on internal commands →