| From: | Michael Paquier <michael(at)paquier(dot)xyz> |
|---|---|
| To: | Hugh Ranalli <hugh(at)whtc(dot)ca> |
| Cc: | Bruce Momjian <bruce(at)momjian(dot)us>, pgsql-general(at)lists(dot)postgresql(dot)org |
| Subject: | Re: Channel binding not supported using scram-sha-256 passwords |
| Date: | 2019-02-18 01:06:14 |
| Message-ID: | 20190218010614.GE1864@paquier.xyz |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On Fri, Feb 15, 2019 at 04:18:40PM -0500, Hugh Ranalli wrote:
> I did see that. However, I'm not *trying* to use it. I set up accounts with
> scram-sha-256 passwords, and when trying to connect I get this message.
> Hence why I tried to disable it.
tls-server-end-point is implemented as channel binding type, and the
only things which got removed as the connection parameter
scram_channel_binding and the channel binding type tls-unique. So if
you use SSL then channel binding will be used.
On my side, if I connect to a server built with SSL and SCRAM then
channel binding is used and works.
Now, the error message "channel binding not supported by this build"
would show up by either the backend or the frontend if
X509_get_signature_nid() is not present in the version of OpenSSL your
version of libpq (for the frontend) or your backend are linked to.
This function has been added in OpenSSL 1.0.2, so it seems to me that
you have an OpenSSL version mismatch between your client and the
server. My guess is that the client uses OpenSSL 1.0.2, but the
server is linked to OpenSSL 1.0.1 or older.
(Note: I am not seeing anything bad in the code.)
--
Michael
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Michael Paquier | 2019-02-18 01:19:15 | Re: WSL (windows subsystem on linux) users will need to turn fsync off as of 11.2 |
| Previous Message | Tom Lane | 2019-02-17 22:58:55 | Re: Table Inheritance and Foreign Keys |