On 06/06/18 23:20, Peter Eisentraut wrote:
Aren't we attacking this on the wrong level? We are here attempting to prevent a SCRAM-SHA-256-PLUS -> SCRAM-SHA-256 downgrade, but we are not preventing a SCRAM-SHA-256-PLUS -> anything-else downgrade.
The latest patch does prevent that, too. That was my complaint at https://www.postgresql.org/message-id/030284cc-d1d6-ce88-b677-a814f61c1880%40iki.fi, but it's been fixed now. (Or if you see a case where it still isn't, that's a bug.)
- Heikki
