From: | Andreas Karlsson <andreas(at)proxel(dot)se> |
---|---|
To: | Michael Paquier <michael(dot)paquier(at)gmail(dot)com>, Tomas Vondra <tomas(dot)vondra(at)2ndquadrant(dot)com> |
Cc: | Jeff Janes <jeff(dot)janes(at)gmail(dot)com>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org>, Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com> |
Subject: | Re: [HACKERS] GnuTLS support |
Date: | 2017-11-21 14:45:37 |
Message-ID: | 7aac807c-e22e-e885-ff91-8aa309d54f56@proxel.se |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On 11/20/2017 02:56 AM, Michael Paquier wrote:
> Sorry about that. Something more specific needs to happen here as well
> for channel binding support with SCRAM. CheckSCRAMAuth() now assumes
> that the channel binding mechanism SCRAM-SHA-256-PLUS can be published
> to the client if SSL is used, because OpenSSL is the only
> implementation available. Does gnutls include an API to allow an
> application to fetch the bytes from the TLS finished message? I can
> see some references by glancing at the tarball of gnutls 3.6.1, but
> you would need something similar to OpenSSL's SSL_get_peer_finished().
> If that cannot be achieved I think that it will be necessary to tweak
> auth.c to not publish the -PLUS mechanism if for example the result of
> be_tls_get_peer_finished() is NULL. No need for a new SSL-specific
> API. At the end it would prove to be more portable to do so for all
> the SSL implementations, MacOS stuff does not document an API to get
> the TLS finish message bytes.
There is a function called gnutls_session_channel_binding() which seems
to do something very similar to SSL_get*_finished() which has been in
GnuTLS since 2.12.
https://www.gnutls.org/manual/gnutls.html#Channel-Bindings
>> --with-ssl=(openssl|gnutls)
>
> WIth potential patches coming to use macos' SSL implementation or
> Windows channel, there should really be only one implementation
> available at compile time. That's more simple as a first step as well.
> So +1 for the --with-ssl switch.
Agreed.
Andreas
From | Date | Subject | |
---|---|---|---|
Next Message | Ildus Kurbangaliev | 2017-11-21 14:47:17 | Re: [HACKERS] Custom compression methods |
Previous Message | Amit Kapila | 2017-11-21 14:26:11 | Re: IndexTupleDSize macro seems redundant |