| From: | Michael Paquier <michael(at)paquier(dot)xyz> |
|---|---|
| To: | Heikki Linnakangas <hlinnaka(at)iki(dot)fi> |
| Cc: | pgsql-hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Negotiating the SCRAM channel binding type |
| Date: | 2018-08-05 12:08:08 |
| Message-ID: | 20180805120808.GA22007@paquier.xyz |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Sun, Aug 05, 2018 at 02:00:04PM +0300, Heikki Linnakangas wrote:
> I did some further testing with this, compiling with and without
> HAVE_BE_TLS_GET_CERTIFICATE_HASH and HAVE_PGTLS_GET_PEER_CERTIFICATE_HASH,
> and fixed a few combinations that did not work. And I fixed the other
> comment typos etc. that you pointed out.
Two things that I am really unhappy about is first that you completely
wiped out the test suite for channel binding. We know that channel
binding will be used once HAVE_X509_GET_SIGNATURE_NID is set, hence why
didn't you keep the check on supports_tls_server_end_point to determine
if the connection should be a failure or a success?
Then, I also find the meddling around HAVE_X509_GET_SIGNATURE_NID and
the other flags over-complicated, but I won't fight hard on that point
if you want to go your way.
> I have committed this now, because I think it's important to get this into
> the next beta version, and I'd like to get a full cycle on the buildfarm
> before that. But if you have the chance, please have one more look at the
> committed version, to make sure I didn't mess something up.
This I definitely agree with, getting this patch in before beta 3 is the
best thing to do now.
--
Michael
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Heikki Linnakangas | 2018-08-05 12:30:43 | Re: Negotiating the SCRAM channel binding type |
| Previous Message | Amit Kapila | 2018-08-05 12:08:04 | Re: Explain buffers wrong counter with parallel plans |