On 1/3/18 04:59, Michael Paquier wrote:
> On Tue, Jan 02, 2018 at 10:54:29PM -0500, Peter Eisentraut wrote:
>> I think the solution is that we need to require that all SSL server-side
>> implementations support all channel binding types.
>
> That could be a stop for Windows and macos SSL implementations then.
I'm surprised by that. I thought tls-server-endpoint is basically
always possible to implement, because all you need is to obtain the peer
certificate and hash it. It seems to me that any SSL implementation
should be able to do that.
> - Have the server publish the -PLUS mechanism only if an SSL
> implementation supports tls-unique.
But then a conforming client will never pick -PLUS.
--
Peter Eisentraut http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services