On 6/6/18 16:26, Heikki Linnakangas wrote: > On 06/06/18 23:20, Peter Eisentraut wrote: >> Aren't we attacking this on the wrong level? We are here attempting to >> prevent a SCRAM-SHA-256-PLUS -> SCRAM-SHA-256 downgrade, but we are not >> preventing a SCRAM-SHA-256-PLUS -> anything-else downgrade. > > The latest patch does prevent that, too. That was my complaint at > https://www.postgresql.org/message-id/030284cc-d1d6-ce88-b677-a814f61c1880%40iki.fi, > > but it's been fixed now. (Or if you see a case where it still isn't, > that's a bug.)
OK, that would do, but we don't do anything about a SCRAM-SHA-256 -> anything-else downgrade. Instead of tying this to the channel binding, should we tie it to the authentication type? -- Peter Eisentraut http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
