Re: RFC 9266: Channel Bindings for TLS 1.3 support

On Thu, Jul 28, 2022 at 10:44 PM Michael Paquier <michael@paquier.xyz> wrote:
> tls-unique is not planned, as we have already tls-server-end-point for
> TLS1.2 and Postgres requires a certificate, anyway.

I think we can provide tls-exporter for older TLS versions as well, as
long as SSL_get_extms_support() returns 1 for the connection, per
Section 4.2 [1]. That would let people use a unique binding even if
they can't use TLS 1.3 for whatever reason.

> I should be able to get something sent to the mailing lists for the
> commit fest of September, so as we could have this feature in v16~.

Thanks!

--Jacob

[1] https://datatracker.ietf.org/doc/html/rfc9266#section-4.2