| From: | Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com> |
|---|---|
| To: | Michael Paquier <michael(at)paquier(dot)xyz>, Hugh Ranalli <hugh(at)whtc(dot)ca> |
| Cc: | Bruce Momjian <bruce(at)momjian(dot)us>, pgsql-general(at)lists(dot)postgresql(dot)org |
| Subject: | Re: Channel binding not supported using scram-sha-256 passwords |
| Date: | 2019-02-20 15:53:32 |
| Message-ID: | 56d28a96-6a18-8eb0-3c23-2a980a29a01f@2ndquadrant.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On 2019-02-18 02:06, Michael Paquier wrote:
> Now, the error message "channel binding not supported by this build"
> would show up by either the backend or the frontend if
> X509_get_signature_nid() is not present in the version of OpenSSL your
> version of libpq (for the frontend) or your backend are linked to.
> This function has been added in OpenSSL 1.0.2, so it seems to me that
> you have an OpenSSL version mismatch between your client and the
> server. My guess is that the client uses OpenSSL 1.0.2, but the
> server is linked to OpenSSL 1.0.1 or older.
I think there is a bug in the frontend code. If the server offers
SCRAM-SHA-256-PLUS, the client will choose it if SSL is in use, but it
will later fail with this error message if not
HAVE_PGTLS_GET_PEER_CERTIFICATE_HASH.
The code in src/interfaces/libpq/fe-auth.c:pg_SASL_init() should take
HAVE_PGTLS_GET_PEER_CERTIFICATE_HASH into account before selecting
SCRAM-SHA-256-PLUS.
--
Peter Eisentraut http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Peter Eisentraut | 2019-02-20 16:01:13 | Re: Plpythonu extension |
| Previous Message | Vincent Predoehl | 2019-02-20 14:46:38 | Plpythonu extension |