On Wed, Feb 20, 2019 at 04:53:32PM +0100, Peter Eisentraut wrote: > I think there is a bug in the frontend code. If the server offers > SCRAM-SHA-256-PLUS, the client will choose it if SSL is in use, but it > will later fail with this error message if not > HAVE_PGTLS_GET_PEER_CERTIFICATE_HASH.
Good catch! Indeed that's not a good idea. What do you think about the attached to fix the issue? -- Michael
diff --git a/src/interfaces/libpq/fe-auth.c b/src/interfaces/libpq/fe-auth.c
index 08a5a9c1f3..4bb529ba3b 100644
--- a/src/interfaces/libpq/fe-auth.c
+++ b/src/interfaces/libpq/fe-auth.c
@@ -526,14 +526,24 @@ pg_SASL_init(PGconn *conn, int payloadlen)
/*
* Select the mechanism to use. Pick SCRAM-SHA-256-PLUS over anything
- * else if a channel binding type is set. Pick SCRAM-SHA-256 if
- * nothing else has already been picked. If we add more mechanisms, a
- * more refined priority mechanism might become necessary.
+ * else if a channel binding type is set and if the client supports it.
+ * Pick SCRAM-SHA-256 if nothing else has already been picked. If we
+ * add more mechanisms, a more refined priority mechanism might become
+ * necessary.
*/
if (strcmp(mechanism_buf.data, SCRAM_SHA_256_PLUS_NAME) == 0)
{
if (conn->ssl_in_use)
+ {
+ /*
+ * The server has offered SCRAM-SHA-256-PLUS, which is only
+ * supported by the client if a hash of the peer certificate
+ * can be created.
+ */
+#ifdef HAVE_PGTLS_GET_PEER_CERTIFICATE_HASH
selected_mechanism = SCRAM_SHA_256_PLUS_NAME;
+#endif
+ }
else
{
/*
signature.asc
Description: PGP signature
