On 06/06/18 23:20, Peter Eisentraut wrote:
> Aren't we attacking this on the wrong level? We are here attempting to
> prevent a SCRAM-SHA-256-PLUS -> SCRAM-SHA-256 downgrade, but we are not
> preventing a SCRAM-SHA-256-PLUS -> anything-else downgrade.
The latest patch does prevent that, too. That was my complaint at
https://www.postgresql.org/message-id/030284cc-d1d6-ce88-b677-a814f61c1880%40iki.fi,
but it's been fixed now. (Or if you see a case where it still isn't,
that's a bug.)
- Heikki