Re: [HACKERS] Support for Secure Transport SSL library on macOS as OpenSSL alternative

> On 03 Aug 2017, at 19:27, Michael Paquier <michael.paquier@gmail.com> wrote:
>
> On Thu, Aug 3, 2017 at 12:02 PM, Daniel Gustafsson <daniel@yesql.se> wrote:
>> In https://postgr.es/m/69DB7657-3F9D-4D30-8A4B-E06034251F61@yesql.se I
>> presented a WIP patch for adding support for the Apple Secure Transport SSL
>> library on macOS as, an alternative to OpenSSL.  That patch got put on the
>> backburner for a bit, but I’ve now found the time to make enough progress to
>> warrant a new submission for discussions on this (and hopefully help hacking).
>>
>> It is a drop-in replacement for the OpenSSL code, and supports all the same
>> features and options, except for two things: compression is not supported and
>> the CRL cannot be loaded from a plain PEM file.  A Keychain must be used for
>> that instead.
>
> Is there a set of APIs to be able to get server certificate for the
> frontend and the backend, and generate a hash of it? That matters for
> channel binding support of SCRAM for tls-server-end-point.

I believe we can use SSLCopyPeerTrust() for that.  Admittedly I haven’t looked
at that yet so need to get my head around channel binding, but it seems to fit
the bill.

> There were no APIs to get the TLS finish message last time I looked at OSX
> stuff, which mattered for tls-unique.  It would be nice if we could get one.


Yeah, AFAICT there is no API for that.

cheers ./daniel