On 29/05/18 17:02, Michael Paquier wrote:
> Currently, the SCRAM channel binding tls-server-end-point is supported
> only with OpenSSL 1.0.2 and newer versions as we rely on
> X509_get_signature_nid to get the certificate signature ID, which is the
> official way of upstream to get this information as all the contents of
> X509 are shadowed since this version.
Hmm. I think Peter went through this in commits ac3ff8b1d8 and
054e8c6cdb. If you got that working now, I suppose we could do that, but
I'm actually inclined to just stick to the current, more straightforward
code, and require OpenSSL 1.0.2 for this feature. OpenSSL 1.0.2 has been
around for several years now. It's not available on all the popular
platforms and distributions yet, but I don't want to bend over backwards
to support those.
[1]
https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=ac3ff8b1d8f98da38c53a701e6397931080a39cf
[2]
https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=054e8c6cdb7f4261869e49d3ed7705cca475182e
- Heikki