From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
---|---|
To: | Jeff Davis <jdavis(at)postgresql(dot)org> |
Cc: | pgsql-committers(at)lists(dot)postgresql(dot)org |
Subject: | Re: pgsql: Add libpq parameter 'channel_binding'. |
Date: | 2019-09-29 16:51:31 |
Message-ID: | 24857.1569775891@sss.pgh.pa.us |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-committers |
Jeff Davis <jdavis(at)postgresql(dot)org> writes:
> Add libpq parameter 'channel_binding'.
I found out the hard way that the added ssl tests fall over on a
platform that doesn't HAVE_X509_GET_SIGNATURE_NID:
# Running: psql -X -A -t -c SELECT $$connected with user=ssltestuser channel_bin
ding=require$$ -d dbname=trustdb sslmode=require sslcert=invalid sslrootcert=inv
alid hostaddr=127.0.0.1 user=ssltestuser channel_binding=require
psql: error: could not connect to server: channel binding is required, but serve
r did not offer an authentication method that supports channel binding
not ok 5 - SCRAM with SSL and channel_binding=require
# Failed test 'SCRAM with SSL and channel_binding=require'
# at t/002_scram.pl line 63.
I don't think that it's acceptable for the test to fail on a platform
that we're willing to compile on. Maybe just skip these tests if we
lack X509_get_signature_nid?
Another point is that this error message is misleading --- or at least
would be misleading if the server had X509_get_signature_nid and the
client didn't. Perhaps do something like
diff --git a/src/interfaces/libpq/fe-auth.c b/src/interfaces/libpq/fe-auth.c
index 04118d5..4289551 100644
--- a/src/interfaces/libpq/fe-auth.c
+++ b/src/interfaces/libpq/fe-auth.c
@@ -476,9 +476,15 @@ pg_SASL_init(PGconn *conn, int payloadlen)
* supported by the client if a hash of the peer certificate
* can be created, and if channel_binding is not disabled.
*/
-#ifdef HAVE_PGTLS_GET_PEER_CERTIFICATE_HASH
if (conn->channel_binding[0] != 'd') /* disable */
+ {
+#ifdef HAVE_PGTLS_GET_PEER_CERTIFICATE_HASH
selected_mechanism = SCRAM_SHA_256_PLUS_NAME;
+#else
+ printfPQExpBuffer(&conn->errorMessage,
+ libpq_gettext("client does not support SCRAM-SHA-256-PLUS authentication\n"));
+ goto error;
+ }
#endif
}
else
regards, tom lane
From | Date | Subject | |
---|---|---|---|
Next Message | Peter Eisentraut | 2019-09-29 21:10:43 | pgsql: doc: Further clarify how recovery target parameters are applied |
Previous Message | Tom Lane | 2019-09-29 16:35:58 | pgsql: Fix bogus order of error checks in new channel_binding code. |