On Wed, May 16, 2018 at 01:09:07PM +0300, Heikki Linnakangas wrote: > I have to agree with Bruce, that it's pretty useless to implement channel > binding, if there is no way to require it in libpq. IMHO that must be > fixed.
Wouldn't we want to also do something for the case where a client is willing to use SCRAM but that the server forces back MD5? In which case, one possibility is a connection parameter like the following, named say authmethod: - An empty value is equivalent to the current behavior, and is the default. - 'scram' means that client is willing to use SCRAM, which would cause a failure if server attempts to enforce MD5. - 'scram-plus' means that client enforces SCRAM and channel binding. Or we could just have a channel_binding_mode, which has a "require" value like sslmode, and "prefer" mode, which is the default and the current behavior... Still what to do with MD5 requests in this case? -- Michael
signature.asc
Description: PGP signature
