On Mon, Sep 30, 2019 at 02:20:29PM -0400, Tom Lane wrote:
> Jeff Davis <pgsql@j-davis.com> writes:
>> For 2-3, shouldn't we error at an earlier stage? The user of the client
>> has requested something impossible to satisfy.
>
> Can't get excited about that. It'd require duplicating this code
> somewhere else, which is a maintenance issue. And the case of building
> with obsolete OpenSSL ought to be fairly infrequent and getting more so
> as time goes on, so I'm not really eager to expend lots of work on it.
Neither am I, and there is one extra reason on top of what Tom has
mentioned: there is still value in warning the client if a rogue
server sends SCRAM-SHA-256-PLUS without SSL even if channel_binding is
required.
I have double-checked the patch and done more tests (server publishing
SCRAM-SHA-256-PLUS with various libpq clients). I have included the
full description of the behavior in the commit log, and applied it.
--
Michael