On Thu, Nov 23, 2017 at 4:08 AM, Peter Eisentraut
<peter.eisentraut@2ndquadrant.com> wrote:
> On 11/19/17 23:08, Michael Paquier wrote:
>> When using "n" or "y", the data sent by the client to the server about
>> the use of channel binding is a base64-encoded string of respectively
>> "n,," (biws) and "y,," (eSws). However, as noticed by Peter E here, a
>> v10 server is able to allow connections with "n,,", but not with
>> "y,,":
>> https://www.postgresql.org/message-id/887b6fb7-15fe-239e-2aad-5911d2b0945b@2ndquadrant.com
>>
>> When trying to connect to a v11 client based on current HEAD to a v10
>> server using SSL, then the connection would fail. The attached patch,
>> for REL_10_STABLE, allows a server to accept as well as input "eSws",
>> which is a combination that can now happen. This way, a v10 server
>> accepts connections from a v11 and newer client with SSL.
>
> I noticed what I think is an omission in the current v11 code. We also
> need to check whether the channel binding flag (n/y/p) encoded in the
> client-final-message is the same one used in the client-first-message.
> See attached patch. This would also affect what we might end up
> backpatching.
Yes, agreed. This patch looks good to me. In fe-auth-scram.c, it would
be also nice to add a comment to keep in sync the logics in
build_client_first_message() and build_client_final_message() which
assign the cbind flag value. I don't see much need for an assertion or
such.
--
Michael
