| From: | Michael Paquier <michael(at)paquier(dot)xyz> |
|---|---|
| To: | Heikki Linnakangas <hlinnaka(at)iki(dot)fi> |
| Cc: | pgsql-hackers <pgsql-hackers(at)postgresql(dot)org>, Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com> |
| Subject: | Re: Negotiating the SCRAM channel binding type |
| Date: | 2018-07-12 13:10:56 |
| Message-ID: | 20180712131056.GC1167@paquier.xyz |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Wed, Jul 11, 2018 at 04:00:47PM +0300, Heikki Linnakangas wrote:
> Looking at the GnuTLS docs, I believe it has everything we need.
> gnutls_certificate_get_peers() and gnutls_certificate_get_ours() can be used
> to get the certificate, and gnutls_x509_crt_get_signature_algorithm() gets
> the signatureAlgorithm.
Looking at the docs, there is gnutls_x509_crt_get_fingerprint() which
can provide the certificate hash. So if the signature algorithm is MD5
or SHA-1, it would be simple enough to upgrade it to SHA-256 and
calculate the hash. They have way better docs than OpenSSL, which is
nice.
--
Michael
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Michael Paquier | 2018-07-12 13:18:53 | Re: pg_create_logical_replication_slot returns text instead of name |
| Previous Message | Michael Paquier | 2018-07-12 13:08:18 | Re: Negotiating the SCRAM channel binding type |