Re: [HACKERS] SCRAM authentication, take three - Mailing list pgsql-hackers

From Bruce Momjian
Subject Re: [HACKERS] SCRAM authentication, take three
Date
Msg-id 20170411195537.GA20340@momjian.us
Whole thread Raw
In response to Re: [HACKERS] SCRAM authentication, take three  (Heikki Linnakangas <hlinnaka@iki.fi>)
List pgsql-hackers
On Tue, Apr 11, 2017 at 08:10:23AM +0300, Heikki Linnakangas wrote:
> On 04/11/2017 04:52 AM, Peter Eisentraut wrote:
> Good question. We would need to decide the order of preference for those.
> 
> That question won't arise in practice. Firstly, if the server can do
> scram-sha-256-plus, it presumably can also do scram-sha-512-plus. Unless
> there's a change in the way the channel binding works, such that the
> scram-sha-512-plus variant needs a newer version of OpenSSL or something.
> Secondly, the user's pg_authid row will contain a SCRAM-SHA-256 or
> SCRAM-SHA-512 verifier, not both, so that will dictate which one to use.

It seems openssl has had to deal with cipher preferences for years and
invented ssl_ciphers.

--  Bruce Momjian  <bruce@momjian.us>        http://momjian.us EnterpriseDB
http://enterprisedb.com

+ As you are, so once was I.  As I am, so you will be. +
+                      Ancient Roman grave inscription +



pgsql-hackers by date:

Previous
From: Tom Lane
Date:
Subject: Re: [HACKERS] TAP tests take a long time
Next
From: Andres Freund
Date:
Subject: Re: [HACKERS] TAP tests take a long time