Re: [HACKERS] GnuTLS support

From: Andreas Karlsson <andreas(at)proxel(dot)se>
To: Michael Paquier <michael(dot)paquier(at)gmail(dot)com>, Tomas Vondra <tomas(dot)vondra(at)2ndquadrant(dot)com>
Cc: Jeff Janes <jeff(dot)janes(at)gmail(dot)com>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org>, Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com>
Subject: Re: [HACKERS] GnuTLS support
Date: 2017-11-21 14:45:37
Views: Raw Message | Whole Thread | Download mbox | Resend email
Lists: pgsql-hackers

On 11/20/2017 02:56 AM, Michael Paquier wrote:
> Sorry about that. Something more specific needs to happen here as well
> for channel binding support with SCRAM. CheckSCRAMAuth() now assumes
> that the channel binding mechanism SCRAM-SHA-256-PLUS can be published
> to the client if SSL is used, because OpenSSL is the only
> implementation available. Does gnutls include an API to allow an
> application to fetch the bytes from the TLS finished message? I can
> see some references by glancing at the tarball of gnutls 3.6.1, but
> you would need something similar to OpenSSL's SSL_get_peer_finished().
> If that cannot be achieved I think that it will be necessary to tweak
> auth.c to not publish the -PLUS mechanism if for example the result of
> be_tls_get_peer_finished() is NULL. No need for a new SSL-specific
> API. At the end it would prove to be more portable to do so for all
> the SSL implementations, MacOS stuff does not document an API to get
> the TLS finish message bytes.

There is a function called gnutls_session_channel_binding() which seems
to do something very similar to SSL_get*_finished() which has been in
GnuTLS since 2.12.

>> --with-ssl=(openssl|gnutls)
> WIth potential patches coming to use macos' SSL implementation or
> Windows channel, there should really be only one implementation
> available at compile time. That's more simple as a first step as well.
> So +1 for the --with-ssl switch.



In response to


Browse pgsql-hackers by date

  From Date Subject
Next Message Ildus Kurbangaliev 2017-11-21 14:47:17 Re: [HACKERS] Custom compression methods
Previous Message Amit Kapila 2017-11-21 14:26:11 Re: IndexTupleDSize macro seems redundant