On Tue, Feb 26, 2019 at 10:04:35AM -0500, Tom Lane wrote: > Peter Eisentraut <peter.eisentraut@xxxxxxxxxxxxxxx> writes: >> I tried reproducing the issue locally, but the required OpenSSL version >> is too old to be easily available. > > Hm, I've got buildfarm hosts with quite old OpenSSLs handy. What > tests do you want done, exactly? I would think that Peter is looking for tests which use SCRAM authentication over SSL with the following versions of OpenSSL used by the client: 1) Server at 1.0.1, client at 1.0.2, channel binding should not be used, authentication should succeed. 2) Server at 1.0.2, client at 1.0.1, here also channel binding should not be used, and connection should succeed. The patch changes the behavior of 2), which was failing as the client would use SCRAM_PLUS as SASL mechanism over SCRAM even if the client does not support channel binding. What I do in such cases is to compile OpenSSL by myself and link Postgres to it, here is a command to build shared libraries (all that is documented in INSTALL): ./config --prefix=$INSTALLPATH shared Another trick would be to comment out the sections in libpq where HAVE_PGTLS_GET_PEER_CERTIFICATE_HASH is used to emulate a compilation with OpenSSL 1.0.1 features and older, while still linking with 1.0.2. If you want to test the patch and check by yourself, that's of course fine by me. Just let me know when you are done and if you think the patch is good for commit. -- Michael
Attachment:
signature.asc
Description: PGP signature
