Re: RFC 9266: Channel Bindings for TLS 1.3 support

Hi,

On Thu, Jul 28, 2022 at 08:33:50PM +0000, * Neustradamus * wrote:
> Can you add the support of RFC 9266: Channel Bindings for TLS 1.3?
> - https://datatracker.ietf.org/doc/html/rfc9266
>
> Little details, to know easily:
> - tls-unique for TLS =< 1.2

tls-unique is not planned, as we have already tls-server-end-point for
TLS1.2 and Postgres requires a certificate, anyway.

> - tls-exporter for TLS = 1.3
>
> It is linked to:
> - https://github.com/postgres/postgres/search?q=tls-unique

So, tls-exporter has been made an official thing, finally.  I was
wondering when this was going to happen.  Jacob Champion has given me
a patch to support that, based on OpenSSL's SSL_export_keying_material()
to do the job.  The base integration is not complicated, but I still
need to think a bit more about it when it comes to the min/max TLS
protocols we allow in libpq, for example, and polish the whole with
tests.  We don't force any failures depending on the other connection
parameters for tls-server-end-point, so I suspect that we should be
fine with keeping things at their simplest.

I should be able to get something sent to the mailing lists for the
commit fest of September, so as we could have this feature in v16~.
--
Michael