From: | Michael Paquier <michael(at)paquier(dot)xyz> |
---|---|
To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
Cc: | Jeff Davis <jdavis(at)postgresql(dot)org>, pgsql-committers(at)lists(dot)postgresql(dot)org |
Subject: | Re: pgsql: Add libpq parameter 'channel_binding'. |
Date: | 2019-09-29 23:47:33 |
Message-ID: | 20190929234733.GA2888@paquier.xyz |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-committers |
On Sun, Sep 29, 2019 at 12:51:31PM -0400, Tom Lane wrote:
> I found out the hard way that the added ssl tests fall over on a
> platform that doesn't HAVE_X509_GET_SIGNATURE_NID:
>
> [...]
>
> I don't think that it's acceptable for the test to fail on a platform
> that we're willing to compile on. Maybe just skip these tests if we
> lack X509_get_signature_nid?
Yes, that's the bug I found three days ago for which I have posted a
patch here:
https://www.postgresql.org/message-id/20190927024457.GA8485@paquier.xyz
In short, I think that the proper way is to adapt the test if
X509_get_signature_nid is not around.
> Another point is that this error message is misleading --- or at least
> would be misleading if the server had X509_get_signature_nid and the
> client didn't.
>
> -#ifdef HAVE_PGTLS_GET_PEER_CERTIFICATE_HASH
> if (conn->channel_binding[0] != 'd') /* disable */
> + {
> +#ifdef HAVE_PGTLS_GET_PEER_CERTIFICATE_HASH
> selected_mechanism = SCRAM_SHA_256_PLUS_NAME;
> +#else
> + printfPQExpBuffer(&conn->errorMessage,
> + libpq_gettext("client does not support SCRAM-SHA-256-PLUS authentication\n"));
> + goto error;
> + }
> #endif
> }
Yes, it looks sensible to do that.
--
Michael
From | Date | Subject | |
---|---|---|---|
Next Message | Tom Lane | 2019-09-29 23:54:20 | Re: pgsql: jit: Re-allow JIT compilation of execGrouping.c hashtable compar |
Previous Message | Andres Freund | 2019-09-29 23:42:05 | Re: pgsql: jit: Re-allow JIT compilation of execGrouping.c hashtable compar |