|From:||Michael Paquier <michael(dot)paquier(at)gmail(dot)com>|
|To:||Postgres hackers <pgsql-hackers(at)postgresql(dot)org>|
|Subject:||Handling better supported channel binding types for SSL implementations|
|Views:||Raw Message | Whole Thread | Download mbox|
Per the recent discussions around support of new SSL implementations for
Postgres, it is becoming rather clear to me that the backend needs to be
a bit smarter with the way it needs to decide if it should publish or
not SCRAM-SHA-256-PLUS in the list that the clients can use to choose a
SASL mechanism for authentication.
This has been discussed here in the MacOS SSL implementation:
As well as here for GnuTLS:
Attached is a patch which is an attempt to make this choice cleaner for
new SSL implementations. As we are (rightly!) calling the APIs to fetch
the channel binding data only when necessary, I think that we need an
extra API for SSL implementations to let the server decide if channel
binding mechanisms should be published or not. There could be multiple
possibilities, like making this API return only a boolean flag. However
I have made a more extensible choice by having each SSL implementation
build a list of supported channel bindings. This matters for each
- GnuTLS only supports tls-unique.
- OpenSSL supports both tls-unique and tls-server-end-point.
- MacOS would support none.
However there is as well the argument that this list's contents are not
directly used now, and based on what I saw from the MacOS SSL and GnuTLS
patches that would not be the case after either.
I am adding that to the next CF for consideration.
|Next Message||Amit Khandekar||2018-01-22 07:44:51||Re: [HACKERS] UPDATE of partition key|
|Previous Message||Pavel Stehule||2018-01-22 06:43:27||Re: pgbench - add \if support|