This is a Postgres environment, there are GSSAPI credentials present (i.e., in a credentials cache) for this user and there are also valid SSL certs for this user so both connections would work but the customer wants SSL for this particular user for security reasons. 


GSS connection is accepted and SSL is ignored even though the SSL Line in the pg_hba.conf is above GSS and SSL is enabled on the connecting host. 


pg_hba.conf is parsed from the top down and the first record with a matching connection type, client address, requested database, and user name is used to perform authentication. There is no “fall-through” or “backup”: if one record is chosen and the authentication fails, subsequent records are not considered. If no record matches, access is denied.
 

In this case, the first valid line is SSL-enabled 
 

- hostssl all user1 0.0.0.0/0 cert map=user1_cert
- host all all 0.0.0.0/0 gss  krb_realm=GPDB.KRB

If the client connects from an SSL-enabled host the first line of the pg_hba.conf should be used and the client should be granted access with SSL but in this case, this does not occur, please see the example connection string and resulting connection method.
 

/opt/vmware/postgres/14/bin/psql "host=xxx dbname=postgres port=xxx sslcert=/xx/user1.crt sslkey=/xx/user1.key sslmode=require"


psql (14.9 (VMware Postgres 14.9.0))
GSSAPI-encrypted connection.  <------------GSS connection not SSL as expected.
Type "help" for help.

There is nothing in the logs to show that there was a problem with SSL, the GSS connection just seems to be preferred. 

Product Version: 14.5

Postgres has multiple Database Connection Control Functions, explained here 

https://www.postgresql.org/docs/current/libpq-connect.html

One of these is "gssencmode" , This option determines whether and with what priority a secure GSS TCP/IP connection will be negotiated with the server. There are three modes:
 

disable
only try a non-GSSAPI-encrypted connection

prefer (default)
if there are GSSAPI credentials present (i.e., in a credentials cache), first try a GSSAPI-encrypted connection; if that fails or there are no credentials, try a non-GSSAPI-encrypted connection. This is the default when PostgreSQL has been compiled with GSSAPI support.

require
only try a GSSAPI-encrypted connection

gssencmode is ignored for Unix domain socket communication. If PostgreSQL is compiled without GSSAPI support, using the require option will cause an error, while prefer will be accepted but libpq will not actually attempt a GSSAPI-encrypted connection.

By default prefer is enabled, if there are GSSAPI credentials present (i.e., in a credentials cache), first try a GSSAPI-encrypted connection;

This is the reason that SSL is not been chosen.

To get around this use "gssencmode=disable" in the connection string. 

For example 
 

/opt/vmware/postgres/14/bin/psql "host=xxx dbname=postgres port=xxx sslcert=/xx/user1.crt sslkey=/xx/user1.key gssencmode=disable sslmode=require"