config insecure
----

subtest check_ssl_disabled_error

# Check that an attempt to use SSL fails with "SSL not enabled".
connect user=root sslmode=require
----
ERROR: tls error (server refused TLS connection)

subtest end

subtest root_always_enabled

# Regardless of the contents of hba.conf,
# all users can always log in, even without a cert.

set_hba
host all root 0.0.0.0/0 cert
----
# Active authentication configuration on this node:
# Original configuration:
# loopback all all all trust       # built-in CockroachDB default
# host  all root all cert-password # CockroachDB mandatory rule
# host all root 0.0.0.0/0 cert
#
# Interpreted configuration:
# TYPE   DATABASE USER ADDRESS   METHOD        OPTIONS
loopback all      all  all       trust
host     all      root all       cert-password
host     all      root 0.0.0.0/0 cert

connect user=root sslmode=disable
----
ok defaultdb

subtest end

subtest regular_login

connect user=testuser sslmode=disable show_authentication_method
----
ok defaultdb insecure

# If a password is provided, it is ignored.

connect user=testuser password=abc sslmode=disable show_authentication_method
----
ok defaultdb insecure

subtest end

subtest user_does_not_exist

connect user=nonexistent sslmode=disable
----
ERROR: password authentication failed for user nonexistent (SQLSTATE 28P01)

subtest end
