diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/interfaces/libpq/fe-auth.c | 16 |
1 files changed, 13 insertions, 3 deletions
diff --git a/src/interfaces/libpq/fe-auth.c b/src/interfaces/libpq/fe-auth.c index 08a5a9c1f30..4cbe64ceb58 100644 --- a/src/interfaces/libpq/fe-auth.c +++ b/src/interfaces/libpq/fe-auth.c @@ -526,14 +526,24 @@ pg_SASL_init(PGconn *conn, int payloadlen) /* * Select the mechanism to use. Pick SCRAM-SHA-256-PLUS over anything - * else if a channel binding type is set. Pick SCRAM-SHA-256 if - * nothing else has already been picked. If we add more mechanisms, a - * more refined priority mechanism might become necessary. + * else if a channel binding type is set and if the client supports + * it. Pick SCRAM-SHA-256 if nothing else has already been picked. If + * we add more mechanisms, a more refined priority mechanism might + * become necessary. */ if (strcmp(mechanism_buf.data, SCRAM_SHA_256_PLUS_NAME) == 0) { if (conn->ssl_in_use) + { + /* + * The server has offered SCRAM-SHA-256-PLUS, which is only + * supported by the client if a hash of the peer certificate + * can be created. + */ +#ifdef HAVE_PGTLS_GET_PEER_CERTIFICATE_HASH selected_mechanism = SCRAM_SHA_256_PLUS_NAME; +#endif + } else { /* |