diff --git a/pkg/sql/pgwire/server.go b/pkg/sql/pgwire/server.go index 991e6ac61bce..d9754d836e10 100644 --- a/pkg/sql/pgwire/server.go +++ b/pkg/sql/pgwire/server.go @@ -1042,8 +1042,12 @@ func (s *Server) maybeUpgradeToSecureConn( } if connType == hba.ConnLocal { + // No existing PostgreSQL driver ever tries to activate TLS over + // a unix socket. But in case someone, sometime, somewhere, makes + // that mistake, let them know that we don't want it. clientErr = pgerror.New(pgcode.ProtocolViolation, "cannot use SSL/TLS over local connections") + return } // Protocol sanity check.