Re: Channel binding not supported using scram-sha-256 passwords

On 2019-02-18 02:06, Michael Paquier wrote:
> Now, the error message "channel binding not supported by this build"
> would show up by either the backend or the frontend if
> X509_get_signature_nid() is not present in the version of OpenSSL your
> version of libpq (for the frontend) or your backend are linked to.
> This function has been added in OpenSSL 1.0.2, so it seems to me that
> you have an OpenSSL version mismatch between your client and the
> server.  My guess is that the client uses OpenSSL 1.0.2, but the
> server is linked to OpenSSL 1.0.1 or older.

I think there is a bug in the frontend code.  If the server offers
SCRAM-SHA-256-PLUS, the client will choose it if SSL is in use, but it
will later fail with this error message if not
HAVE_PGTLS_GET_PEER_CERTIFICATE_HASH.

The code in src/interfaces/libpq/fe-auth.c:pg_SASL_init() should take
HAVE_PGTLS_GET_PEER_CERTIFICATE_HASH into account before selecting
SCRAM-SHA-256-PLUS.

-- 
Peter Eisentraut              http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services