Hello, At Tue, 23 Jun 2026 10:39:42 +0900, Fujii Masao <[email protected]> wrote in > While testing md5_password_warnings, I noticed that authentication > with an MD5-encrypted password emits the expected warning when the HBA > method is md5, but not when it is password. > > Was this intentional, or just an oversight? > > I couldn't find any discussion about this, so I put together the > attached patch. It updates the authentication code to emit the same > MD5 deprecation connection warning after successful password > authentication when the stored password is MD5-encrypted.
The current behavior seems reasonable to me. The warning is intended to discourage the use of MD5 password authentication and MD5 password storage. In the password authentication case, the authentication protocol itself does not use MD5, and MD5 password storage is already warned about when the verifier is created. Therefore I don't see a strong reason to emit an additional warning during authentication. Also, given that MD5 password authentication is already deprecated and expected to be removed eventually, I don't see a strong reason to change this behavior now. Regards, -- Kyotaro Horiguchi NTT Open Source Software Center
