On Tue, Jan 02, 2018 at 10:54:29PM -0500, Peter Eisentraut wrote:
> I think the solution is that we need to require that all SSL server-side
> implementations support all channel binding types.
That could be a stop for Windows and macos SSL implementations then. I
would think that we would benefit by being softer here, say with the
following guidelines:
- Have the server publish the -PLUS mechanism only if an SSL
implementation supports tls-unique.
- The RFC makes tls-unique mandatory, so requiring only tls-unique to be
present looks like a good default for me.
It is true that JDBC makes this whole thing harder, tls-server-end-point
patch has been done mainly for them. Even for OpenSSL, I had to dig
within their code tree to figure out the APIs to use to get the hash
algorithm. I would not be surprised that the same investigation is
necessary for gnutls.
--
Michael
