On Fri, Feb 15, 2019 at 04:18:40PM -0500, Hugh Ranalli wrote: > I did see that. However, I'm not *trying* to use it. I set up accounts with > scram-sha-256 passwords, and when trying to connect I get this message. > Hence why I tried to disable it. tls-server-end-point is implemented as channel binding type, and the only things which got removed as the connection parameter scram_channel_binding and the channel binding type tls-unique. So if you use SSL then channel binding will be used. On my side, if I connect to a server built with SSL and SCRAM then channel binding is used and works. Now, the error message "channel binding not supported by this build" would show up by either the backend or the frontend if X509_get_signature_nid() is not present in the version of OpenSSL your version of libpq (for the frontend) or your backend are linked to. This function has been added in OpenSSL 1.0.2, so it seems to me that you have an OpenSSL version mismatch between your client and the server. My guess is that the client uses OpenSSL 1.0.2, but the server is linked to OpenSSL 1.0.1 or older. (Note: I am not seeing anything bad in the code.) -- Michael
Attachment:
signature.asc
Description: PGP signature
