On Mon, Sep 30, 2019 at 02:20:29PM -0400, Tom Lane wrote: > Jeff Davis <[email protected]> writes: >> For 2-3, shouldn't we error at an earlier stage? The user of the client >> has requested something impossible to satisfy. > > Can't get excited about that. It'd require duplicating this code > somewhere else, which is a maintenance issue. And the case of building > with obsolete OpenSSL ought to be fairly infrequent and getting more so > as time goes on, so I'm not really eager to expend lots of work on it.
Neither am I, and there is one extra reason on top of what Tom has mentioned: there is still value in warning the client if a rogue server sends SCRAM-SHA-256-PLUS without SSL even if channel_binding is required. I have double-checked the patch and done more tests (server publishing SCRAM-SHA-256-PLUS with various libpq clients). I have included the full description of the behavior in the commit log, and applied it. -- Michael
signature.asc
Description: PGP signature
