Re: Negotiating the SCRAM channel binding type
Michael Paquier <michael@paquier.xyz>
From: Michael Paquier <michael@paquier.xyz>
To: Heikki Linnakangas <hlinnaka@iki.fi>
Cc: pgsql-hackers <pgsql-hackers@postgresql.org>, Peter Eisentraut <peter.eisentraut@2ndquadrant.com>
Date: 2018-07-12T13:10:56Z
Lists: pgsql-hackers
On Wed, Jul 11, 2018 at 04:00:47PM +0300, Heikki Linnakangas wrote: > Looking at the GnuTLS docs, I believe it has everything we need. > gnutls_certificate_get_peers() and gnutls_certificate_get_ours() can be used > to get the certificate, and gnutls_x509_crt_get_signature_algorithm() gets > the signatureAlgorithm. Looking at the docs, there is gnutls_x509_crt_get_fingerprint() which can provide the certificate hash. So if the signature algorithm is MD5 or SHA-1, it would be simple enough to upgrade it to SHA-256 and calculate the hash. They have way better docs than OpenSSL, which is nice. -- Michael
Commits
-
Remove support for tls-unique channel binding.
- 1b7378b3d689 11.0 landed
- 77291139c7c1 12.0 landed