| From: | Heikki Linnakangas <hlinnaka(at)iki(dot)fi> |
|---|---|
| To: | Michael Paquier <michael(at)paquier(dot)xyz>, Postgres hackers <pgsql-hackers(at)postgresql(dot)org> |
| Cc: | sfackler(at)gmail(dot)com, Peter Eisentraut <peter_e(at)gmx(dot)net> |
| Subject: | Re: Supporting tls-server-end-point as SCRAM channel binding for OpenSSL 1.0.0 and 1.0.1 |
| Date: | 2018-05-30 02:33:03 |
| Message-ID: | 66969c0c-9d5b-ce6a-3729-2c76e174b0a9@iki.fi |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On 29/05/18 17:02, Michael Paquier wrote:
> Currently, the SCRAM channel binding tls-server-end-point is supported
> only with OpenSSL 1.0.2 and newer versions as we rely on
> X509_get_signature_nid to get the certificate signature ID, which is the
> official way of upstream to get this information as all the contents of
> X509 are shadowed since this version.
Hmm. I think Peter went through this in commits ac3ff8b1d8 and
054e8c6cdb. If you got that working now, I suppose we could do that, but
I'm actually inclined to just stick to the current, more straightforward
code, and require OpenSSL 1.0.2 for this feature. OpenSSL 1.0.2 has been
around for several years now. It's not available on all the popular
platforms and distributions yet, but I don't want to bend over backwards
to support those.
[1]
https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=ac3ff8b1d8f98da38c53a701e6397931080a39cf
[2]
https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=054e8c6cdb7f4261869e49d3ed7705cca475182e
- Heikki
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Michael Paquier | 2018-05-30 02:48:20 | Re: Supporting tls-server-end-point as SCRAM channel binding for OpenSSL 1.0.0 and 1.0.1 |
| Previous Message | Craig Ringer | 2018-05-30 01:59:01 | Re: Looks like we can enable AF_UNIX on Windows now |