From: | Michael Paquier <michael(at)paquier(dot)xyz> |
---|---|
To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
Cc: | Jeff Davis <jdavis(at)postgresql(dot)org>, pgsql-committers(at)lists(dot)postgresql(dot)org |
Subject: | Re: pgsql: Add libpq parameter 'channel_binding'. |
Date: | 2019-09-30 07:08:26 |
Message-ID: | 20190930070826.GM2888@paquier.xyz |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-committers |
On Mon, Sep 30, 2019 at 03:45:39PM +0900, Michael Paquier wrote:
> If the server publishes SCRAM-SHA-256-PLUS and the server does not
> support channel binding, then we get this error message:
> "channel binding is required, but server did not offer an
> authentication method that supports channel binding."
> So that's the part which is wrong.
>
> Now, I am not completely sure that the suggested change is completely
> right either as we would get an error in this scenario when
> channel_binding is "prefer" or "require". For "require", this error
> message is fine. However, for "prefer", shouldn't we do what we do on
> HEAD, aka *not* select SCRAM-SHA-256-PLUS and switch to SCRAM-SHA-256?
> This would have the advantage to make the connection work with default
> parameters.
So, something like the attached looks better to me. Using a server
which publishes SCRAM-SHA-256-PLUS, I get the following over SSL:
1) client supports channel binding:
1-1) channel_binding = disable => OK, with SCRAM-SHA-256
1-2) channel_binding = prefer => OK, with SCRAM-SHA-256-PLUS
1-3) channel_binding = require => OK, with SCRAM-SHA-256-PLUS
2) client does not support channel binding
2-1) channel_binding = disable => OK, with SCRAM-SHA-256
2-2) channel_binding = prefer => OK, with SCRAM-SHA-256
2-3) channel_binding = require => failure with new error message,
instead of the confusing one.
The bug is with 2-3, and Tom's suggestion would have switched 2-2 to a
failure (2-2 works on HEAD).
--
Michael
Attachment | Content-Type | Size |
---|---|---|
channel-binding-fix-v1.patch | text/x-diff | 1.3 KB |
From | Date | Subject | |
---|---|---|---|
Next Message | David Steele | 2019-09-30 11:28:27 | Re: pgsql: Make crash recovery ignore recovery target settings. |
Previous Message | Michael Paquier | 2019-09-30 06:45:39 | Re: pgsql: Add libpq parameter 'channel_binding'. |