On Mon, Sep 30, 2019 at 05:41:46PM -0400, Tom Lane wrote:
> Jeff Davis <pgsql@j-davis.com> writes:
>> Looks good to me, though I think you need to update the expected error
>> message in the test you just added.
>
> The test case did pass for me when I tried it on an old-openssl machine
> a few hours ago. I don't think this test has any way to exercise the
> code path where the server has support and the client doesn't (or
> vice versa).
The behaviors of "prefer" which make sense with or without channel
binding support on the client-side is actually what matters here when
the server sends back SCRAM-SHA-256-PLUS over SSL. We could use a
compile flag and enforce it in a buildfarm animal, or have more modes
within the parameter, but the gains are not really worth the
code complications in my opinion, and the parameter is already
complicated enough.
--
Michael