On 2019-02-18 02:06, Michael Paquier wrote: > Now, the error message "channel binding not supported by this build" > would show up by either the backend or the frontend if > X509_get_signature_nid() is not present in the version of OpenSSL your > version of libpq (for the frontend) or your backend are linked to. > This function has been added in OpenSSL 1.0.2, so it seems to me that > you have an OpenSSL version mismatch between your client and the > server. My guess is that the client uses OpenSSL 1.0.2, but the > server is linked to OpenSSL 1.0.1 or older. I think there is a bug in the frontend code. If the server offers SCRAM-SHA-256-PLUS, the client will choose it if SSL is in use, but it will later fail with this error message if not HAVE_PGTLS_GET_PEER_CERTIFICATE_HASH. The code in src/interfaces/libpq/fe-auth.c:pg_SASL_init() should take HAVE_PGTLS_GET_PEER_CERTIFICATE_HASH into account before selecting SCRAM-SHA-256-PLUS. -- Peter Eisentraut http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
