From: | Michael Paquier <michael(at)paquier(dot)xyz> |
---|---|
To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
Cc: | Jeff Davis <jdavis(at)postgresql(dot)org>, pgsql-committers(at)lists(dot)postgresql(dot)org |
Subject: | Re: pgsql: Add libpq parameter 'channel_binding'. |
Date: | 2019-09-30 06:45:39 |
Message-ID: | 20190930064539.GK2888@paquier.xyz |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-committers |
On Mon, Sep 30, 2019 at 08:47:33AM +0900, Michael Paquier wrote:
> On Sun, Sep 29, 2019 at 12:51:31PM -0400, Tom Lane wrote:
>> Another point is that this error message is misleading --- or at least
>> would be misleading if the server had X509_get_signature_nid and the
>> client didn't.
>>
>> -#ifdef HAVE_PGTLS_GET_PEER_CERTIFICATE_HASH
>> if (conn->channel_binding[0] != 'd') /* disable */
>> + {
>> +#ifdef HAVE_PGTLS_GET_PEER_CERTIFICATE_HASH
>> selected_mechanism = SCRAM_SHA_256_PLUS_NAME;
>> +#else
>> + printfPQExpBuffer(&conn->errorMessage,
>> + libpq_gettext("client does not support SCRAM-SHA-256-PLUS authentication\n"));
>> + goto error;
>> + }
>> #endif
>> }
>
> Yes, it looks sensible to do that.
If the server publishes SCRAM-SHA-256-PLUS and the server does not
support channel binding, then we get this error message:
"channel binding is required, but server did not offer an
authentication method that supports channel binding."
So that's the part which is wrong.
Now, I am not completely sure that the suggested change is completely
right either as we would get an error in this scenario when
channel_binding is "prefer" or "require". For "require", this error
message is fine. However, for "prefer", shouldn't we do what we do on
HEAD, aka *not* select SCRAM-SHA-256-PLUS and switch to SCRAM-SHA-256?
This would have the advantage to make the connection work with default
parameters.
--
Michael
From | Date | Subject | |
---|---|---|---|
Next Message | Michael Paquier | 2019-09-30 07:08:26 | Re: pgsql: Add libpq parameter 'channel_binding'. |
Previous Message | Michael Paquier | 2019-09-30 04:12:44 | pgsql: Fix SSL test for libpq connection parameter channel_binding |