You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
On the client, there is the peer_certificates API that gives the server certificate bytes that can be digested. Unfortunately, there's still room to make mistakes here.
ConnectionState has a new method: tls_server_end_point() that returns a type similar to Option<ring::digest::Digest>. Have this be an opt-in feature in the Server/ClientConfig as this will require extra runtime performance to calculate these digests
The text was updated successfully, but these errors were encountered:
I don't think we'll want to maintain the logic for hash algorithm fallback that you link to in this crate. It's also not obvious to me that it makes sense for rustls connection types to always hang on to the certificate that is sent to the peer, when this is something that can be fairly straightforwardly implemented by the caller.
rustls connection types to always hang on to the certificate
My suggestion was to hang on only to the digest of the certificate, sorry if that wasn't clear.
when this is something that can be fairly straightforwardly implemented by the caller.
I don't think this was too straightforward. It took me a while to determine how to arrange the certificate resolver. For single certificate services it's trivial. For multi certificate services it isn't so. It's also impossible to construct a ClientHello struct so I had to expose an alternative inherent method rather than call ResolvesServerCert::resolve as one might expect
Checklist
Is your feature request related to a problem? Please describe.
Implementing
SCRAM-SHA-256-PLUS
authentication for a postgres proxy server. Postgres only supports thetls-server-end-point
channel binding method.On the client, there is the peer_certificates API that gives the server certificate bytes that can be digested. Unfortunately, there's still room to make mistakes here.
tokio-postgres-rustls
only uses the sha256 digest even though the specification says that you should use the signatureAlgorithm hash in the certificatepostgres-openssl
gets this correct.It's possible that rustls only supports signature algorithms using sha256, but that's an implementation detail and shouldn't be assumed.
Additionally, on the server side, there's no API to get the certificate used in that ServerConnection. For now, I've kept a copy of the CertResolver and resolved the certificate afterwards.
Describe the solution you'd like
ConnectionState
has a new method:tls_server_end_point()
that returns a type similar toOption<ring::digest::Digest>
. Have this be an opt-in feature in the Server/ClientConfig as this will require extra runtime performance to calculate these digestsThe text was updated successfully, but these errors were encountered: