|From:||Andreas Karlsson <andreas(at)proxel(dot)se>|
|To:||Michael Paquier <michael(dot)paquier(at)gmail(dot)com>, Tomas Vondra <tomas(dot)vondra(at)2ndquadrant(dot)com>|
|Cc:||Jeff Janes <jeff(dot)janes(at)gmail(dot)com>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org>, Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com>|
|Subject:||Re: [HACKERS] GnuTLS support|
|Views:||Raw Message | Whole Thread | Download mbox | Resend email|
On 11/20/2017 02:56 AM, Michael Paquier wrote:
> Sorry about that. Something more specific needs to happen here as well
> for channel binding support with SCRAM. CheckSCRAMAuth() now assumes
> that the channel binding mechanism SCRAM-SHA-256-PLUS can be published
> to the client if SSL is used, because OpenSSL is the only
> implementation available. Does gnutls include an API to allow an
> application to fetch the bytes from the TLS finished message? I can
> see some references by glancing at the tarball of gnutls 3.6.1, but
> you would need something similar to OpenSSL's SSL_get_peer_finished().
> If that cannot be achieved I think that it will be necessary to tweak
> auth.c to not publish the -PLUS mechanism if for example the result of
> be_tls_get_peer_finished() is NULL. No need for a new SSL-specific
> API. At the end it would prove to be more portable to do so for all
> the SSL implementations, MacOS stuff does not document an API to get
> the TLS finish message bytes.
There is a function called gnutls_session_channel_binding() which seems
to do something very similar to SSL_get*_finished() which has been in
GnuTLS since 2.12.
> WIth potential patches coming to use macos' SSL implementation or
> Windows channel, there should really be only one implementation
> available at compile time. That's more simple as a first step as well.
> So +1 for the --with-ssl switch.
|Next Message||Ildus Kurbangaliev||2017-11-21 14:47:17||Re: [HACKERS] Custom compression methods|
|Previous Message||Amit Kapila||2017-11-21 14:26:11||Re: IndexTupleDSize macro seems redundant|