On 29/05/18 17:02, Michael Paquier wrote:
Currently, the SCRAM channel binding tls-server-end-point is supported only with OpenSSL 1.0.2 and newer versions as we rely on X509_get_signature_nid to get the certificate signature ID, which is the official way of upstream to get this information as all the contents of X509 are shadowed since this version.
Hmm. I think Peter went through this in commits ac3ff8b1d8 and 054e8c6cdb. If you got that working now, I suppose we could do that, but I'm actually inclined to just stick to the current, more straightforward code, and require OpenSSL 1.0.2 for this feature. OpenSSL 1.0.2 has been around for several years now. It's not available on all the popular platforms and distributions yet, but I don't want to bend over backwards to support those.
[1] https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=ac3ff8b1d8f98da38c53a701e6397931080a39cf [2] https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=054e8c6cdb7f4261869e49d3ed7705cca475182e
- Heikki
