On Sun, Sep 29, 2019 at 12:51:31PM -0400, Tom Lane wrote:
> I found out the hard way that the added ssl tests fall over on a
> platform that doesn't HAVE_X509_GET_SIGNATURE_NID:
>
> [...]
>
> I don't think that it's acceptable for the test to fail on a platform
> that we're willing to compile on. Maybe just skip these tests if we
> lack X509_get_signature_nid?
Yes, that's the bug I found three days ago for which I have posted a
patch here:
https://www.postgresql.org/message-id/20190927024457.GA8485@paquier.xyz
In short, I think that the proper way is to adapt the test if
X509_get_signature_nid is not around.
> Another point is that this error message is misleading --- or at least
> would be misleading if the server had X509_get_signature_nid and the
> client didn't.
>
> -#ifdef HAVE_PGTLS_GET_PEER_CERTIFICATE_HASH
> if (conn->channel_binding[0] != 'd') /* disable */
> + {
> +#ifdef HAVE_PGTLS_GET_PEER_CERTIFICATE_HASH
> selected_mechanism = SCRAM_SHA_256_PLUS_NAME;
> +#else
> + printfPQExpBuffer(&conn->errorMessage,
> + libpq_gettext("client does not support SCRAM-SHA-256-PLUS authentication\n"));
> + goto error;
> + }
> #endif
> }
Yes, it looks sensible to do that.
--
Michael