Re: Supporting tls-server-end-point as SCRAM channel binding for OpenSSL 1.0.0 and 1.0.1

On 24/06/18 18:49, Dave Cramer wrote:
>
>
> On 29 May 2018 at 22:48, Michael Paquier <michael(at)paquier(dot)xyz
> <mailto:michael(at)paquier(dot)xyz>> wrote:
>
> On Tue, May 29, 2018 at 10:33:03PM -0400, Heikki Linnakangas wrote:
> > Hmm. I think Peter went through this in commits ac3ff8b1d8 and
> 054e8c6cdb.
> > If you got that working now, I suppose we could do that, but I'm
> actually
> > inclined to just stick to the current, more straightforward
> code, and
> > require OpenSSL 1.0.2 for this feature. OpenSSL 1.0.2 has been
> around for
> > several years now. It's not available on all the popular
> platforms and
> > distributions yet, but I don't want to bend over backwards to
> support those.
>
> I think that this mainly boils down to how much Postgres JDBC wants to
> get support here as some vendors can maintain oldest versions of
> OpenSSL
> for a long time.  The extra code is not that much complicated by the
> way, still it is true that HEAD is cleaner with its simplicity.
>
>
> I'm unclear what this has to do with JDBC ? JDBC doesn't use OpenSSL
>
> Alvaro ?
>
>

    It's only indirectly related. It does matter on what servers JDBC
would be able to connect to (using SCRAM + channel binding). Only those
with tls-server-end-point will be able to use CB with JDBC, and that is,
as of today, only OpenSSL 1.0.2 or higher, which is not available on
some older distributions.

    Álvaro

--

Alvaro Hernandez

-----------
OnGres