Re: Supporting tls-server-end-point as SCRAM channel binding forOpenSSL 1.0.0 and 1.0.1

On 29/05/18 17:02, Michael Paquier wrote:
> Currently, the SCRAM channel binding tls-server-end-point is supported
> only with OpenSSL 1.0.2 and newer versions as we rely on
> X509_get_signature_nid to get the certificate signature ID, which is the
> official way of upstream to get this information as all the contents of
> X509 are shadowed since this version.

Hmm. I think Peter went through this in commits ac3ff8b1d8 and 
054e8c6cdb. If you got that working now, I suppose we could do that, but 
I'm actually inclined to just stick to the current, more straightforward 
code, and require OpenSSL 1.0.2 for this feature. OpenSSL 1.0.2 has been 
around for several years now. It's not available on all the popular 
platforms and distributions yet, but I don't want to bend over backwards 
to support those.

[1] 
https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=ac3ff8b1d8f98da38c53a701e6397931080a39cf
[2] 
https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=054e8c6cdb7f4261869e49d3ed7705cca475182e

- Heikki