On Fri, Jan 5, 2018 at 7:12 AM, Tom Lane <t...@sss.pgh.pa.us> wrote: > so this is looking mighty like a crashed and burned patch from here :-(
Sorry for arriving late to the party, timezone and such.. The lack of access to the signature algorithm type is being covered by this commit from upstream which introduced X509_get_signature_nid(): commit: dfcf48f499f19fd17a3aee03151ea301814ea6ec author: Dr. Stephen Henson <st...@openssl.org> date: Wed, 13 Jun 2012 13:08:12 +0000 New functions to retrieve certificate signatures and signature OID NID. So any versions of OpenSSL older than 1.0.1 included would not compile on that. There is only X509_get_signature_type() before that, but this returns the signature type, and that's the hashing type we are looking for here. RFC 5929, which defines the channel binding types, is from July 2010. I have not checked the OpenSSL threads, but I would bet a nickel that one of the reasons why X509_get_signature_nid() has been introduced is to support cases similar to tls-server-end-point where you want to know what's the hash function used for a certificate. That's my fault at the end, my apologies. I can reproduce manually the compilation failure of this code when compiling by myself past versions of OpenSSL. So I think that 054e8c6c is doing the right move. Thanks Peter and all others involved. -- Michael
