> On 03 Aug 2017, at 19:27, Michael Paquier <michael.paqu...@gmail.com> wrote: > > On Thu, Aug 3, 2017 at 12:02 PM, Daniel Gustafsson <dan...@yesql.se> wrote: >> In https://postgr.es/m/69db7657-3f9d-4d30-8a4b-e06034251...@yesql.se I >> presented a WIP patch for adding support for the Apple Secure Transport SSL >> library on macOS as, an alternative to OpenSSL. That patch got put on the >> backburner for a bit, but I’ve now found the time to make enough progress to >> warrant a new submission for discussions on this (and hopefully help >> hacking). >> >> It is a drop-in replacement for the OpenSSL code, and supports all the same >> features and options, except for two things: compression is not supported and >> the CRL cannot be loaded from a plain PEM file. A Keychain must be used for >> that instead. > > Is there a set of APIs to be able to get server certificate for the > frontend and the backend, and generate a hash of it? That matters for > channel binding support of SCRAM for tls-server-end-point.
I believe we can use SSLCopyPeerTrust() for that. Admittedly I haven’t looked at that yet so need to get my head around channel binding, but it seems to fit the bill. > There were no APIs to get the TLS finish message last time I looked at OSX > stuff, which mattered for tls-unique. It would be nice if we could get one. Yeah, AFAICT there is no API for that. cheers ./daniel -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers