On Sun, Sep 29, 2019 at 12:51:31PM -0400, Tom Lane wrote: > I found out the hard way that the added ssl tests fall over on a > platform that doesn't HAVE_X509_GET_SIGNATURE_NID: > > [...] > > I don't think that it's acceptable for the test to fail on a platform > that we're willing to compile on. Maybe just skip these tests if we > lack X509_get_signature_nid?
Yes, that's the bug I found three days ago for which I have posted a patch here: https://www.postgresql.org/message-id/[email protected] In short, I think that the proper way is to adapt the test if X509_get_signature_nid is not around. > Another point is that this error message is misleading --- or at least > would be misleading if the server had X509_get_signature_nid and the > client didn't. > > -#ifdef HAVE_PGTLS_GET_PEER_CERTIFICATE_HASH > if (conn->channel_binding[0] != 'd') /* disable */ > + { > +#ifdef HAVE_PGTLS_GET_PEER_CERTIFICATE_HASH > selected_mechanism = SCRAM_SHA_256_PLUS_NAME; > +#else > + printfPQExpBuffer(&conn->errorMessage, > + libpq_gettext("client does not support > SCRAM-SHA-256-PLUS authentication\n")); > + goto error; > + } > #endif > } Yes, it looks sensible to do that. -- Michael
signature.asc
Description: PGP signature
