Re: Channel binding not supported using scram-sha-256 passwords

On Tue, Feb 26, 2019 at 10:04:35AM -0500, Tom Lane wrote:
> Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com> writes:
>> I tried reproducing the issue locally, but the required OpenSSL version
>> is too old to be easily available.
>
> Hm, I've got buildfarm hosts with quite old OpenSSLs handy. What
> tests do you want done, exactly?

I would think that Peter is looking for tests which use SCRAM
authentication over SSL with the following versions of OpenSSL used
by the client:
1) Server at 1.0.1, client at 1.0.2, channel binding should not be
used, authentication should succeed.
2) Server at 1.0.2, client at 1.0.1, here also channel binding should
not be used, and connection should succeed.

The patch changes the behavior of 2), which was failing as the client
would use SCRAM_PLUS as SASL mechanism over SCRAM even if the client
does not support channel binding.

What I do in such cases is to compile OpenSSL by myself and link
Postgres to it, here is a command to build shared libraries (all that
is documented in INSTALL):
./config --prefix=$INSTALLPATH shared

Another trick would be to comment out the sections in libpq where
HAVE_PGTLS_GET_PEER_CERTIFICATE_HASH is used to emulate a compilation
with OpenSSL 1.0.1 features and older, while still linking with
1.0.2.

If you want to test the patch and check by yourself, that's of course
fine by me. Just let me know when you are done and if you think the
patch is good for commit.
--
Michael