| From: | Michael Paquier <michael(dot)paquier(at)gmail(dot)com> |
|---|---|
| To: | Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com> |
| Cc: | Andreas Karlsson <andreas(at)proxel(dot)se>, Tomas Vondra <tomas(dot)vondra(at)2ndquadrant(dot)com>, Jeff Janes <jeff(dot)janes(at)gmail(dot)com>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: [HACKERS] GnuTLS support |
| Date: | 2018-01-03 09:59:12 |
| Message-ID: | 20180103095912.GA680@paquier.xyz |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Tue, Jan 02, 2018 at 10:54:29PM -0500, Peter Eisentraut wrote:
> I think the solution is that we need to require that all SSL server-side
> implementations support all channel binding types.
That could be a stop for Windows and macos SSL implementations then. I
would think that we would benefit by being softer here, say with the
following guidelines:
- Have the server publish the -PLUS mechanism only if an SSL
implementation supports tls-unique.
- The RFC makes tls-unique mandatory, so requiring only tls-unique to be
present looks like a good default for me.
It is true that JDBC makes this whole thing harder, tls-server-end-point
patch has been done mainly for them. Even for OpenSSL, I had to dig
within their code tree to figure out the APIs to use to get the hash
algorithm. I would not be surprised that the same investigation is
necessary for gnutls.
--
Michael
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Amit Khandekar | 2018-01-03 11:29:18 | Re: [HACKERS] UPDATE of partition key |
| Previous Message | Vik Fearing | 2018-01-03 09:07:28 | Re: TODO list (was Re: Contributing with code) |