Re: pgsql: Add libpq parameter 'channel_binding'.

On Sun, Sep 29, 2019 at 12:51:31PM -0400, Tom Lane wrote:
> I found out the hard way that the added ssl tests fall over on a
> platform that doesn't HAVE_X509_GET_SIGNATURE_NID:
>
> [...]
>
> I don't think that it's acceptable for the test to fail on a platform
> that we're willing to compile on.  Maybe just skip these tests if we
> lack X509_get_signature_nid?

Yes, that's the bug I found three days ago for which I have posted a
patch here:
https://www.postgresql.org/message-id/20190927024457.GA8485@paquier.xyz

In short, I think that the proper way is to adapt the test if
X509_get_signature_nid is not around.

> Another point is that this error message is misleading --- or at least
> would be misleading if the server had X509_get_signature_nid and the
> client didn't.
>
> -#ifdef HAVE_PGTLS_GET_PEER_CERTIFICATE_HASH
>                 if (conn->channel_binding[0] != 'd')    /* disable */
> +               {
> +#ifdef HAVE_PGTLS_GET_PEER_CERTIFICATE_HASH
>                     selected_mechanism = SCRAM_SHA_256_PLUS_NAME;
> +#else
> +                   printfPQExpBuffer(&conn->errorMessage,
> +                                     libpq_gettext("client does not support SCRAM-SHA-256-PLUS authentication\n"));
> +                   goto error;
> +               }
>  #endif
>             }

Yes, it looks sensible to do that.
--
Michael