On Thu, Nov 23, 2017 at 4:08 AM, Peter Eisentraut <peter.eisentr...@2ndquadrant.com> wrote: > On 11/19/17 23:08, Michael Paquier wrote: >> When using "n" or "y", the data sent by the client to the server about >> the use of channel binding is a base64-encoded string of respectively >> "n,," (biws) and "y,," (eSws). However, as noticed by Peter E here, a >> v10 server is able to allow connections with "n,,", but not with >> "y,,": >> https://www.postgresql.org/message-id/887b6fb7-15fe-239e-2aad-5911d2b09...@2ndquadrant.com >> >> When trying to connect to a v11 client based on current HEAD to a v10 >> server using SSL, then the connection would fail. The attached patch, >> for REL_10_STABLE, allows a server to accept as well as input "eSws", >> which is a combination that can now happen. This way, a v10 server >> accepts connections from a v11 and newer client with SSL. > > I noticed what I think is an omission in the current v11 code. We also > need to check whether the channel binding flag (n/y/p) encoded in the > client-final-message is the same one used in the client-first-message. > See attached patch. This would also affect what we might end up > backpatching.
Yes, agreed. This patch looks good to me. In fe-auth-scram.c, it would be also nice to add a comment to keep in sync the logics in build_client_first_message() and build_client_final_message() which assign the cbind flag value. I don't see much need for an assertion or such. -- Michael