Quick Links

Re: SCRAM with channel binding downgrade attack

From:	Michael Paquier <michael(at)paquier(dot)xyz>
To:	Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com>
Cc:	Magnus Hagander <magnus(at)hagander(dot)net>, Heikki Linnakangas <hlinnaka(at)iki(dot)fi>, Postgres hackers <pgsql-hackers(at)postgresql(dot)org>, Robert Haas <robertmhaas(at)gmail(dot)com>, Stephen Frost <sfrost(at)snowman(dot)net>, Bruce Momjian <bruce(at)momjian(dot)us>
Subject:	Re: SCRAM with channel binding downgrade attack
Date:	2018-06-29 01:37:55
Message-ID:	20180629013755.GC2965@paquier.xyz
Views:	Raw Message \| Whole Thread \| Download mbox \| Resend email
Thread:
Lists:	pgsql-hackers pgsql-www

On Thu, Jun 28, 2018 at 10:05:23AM +0200, Peter Eisentraut wrote:
> But before we drop the SCRAM business completely off the open items, I
> think we need to consider how TLS 1.3 affects this.

The set of APIs that we use to the SSL abstraction layer is very
internal, so it would not be an issue if we add some in stable branches,
no? My point is that from OpenSSL point of view, TLS 1.3 stuff has been
added in 1.1.1 which is now in beta 6 stage, so we could consider as
well all this part once OpenSSL is released. That's compatibility work
I wanted to work on anyway. Impossible to say down to which versions of
Postgres things could be applied easily though without a deep
investigation of the new compatibility breakages that upstream OpenSSL
has very-likely introduced in upstream.

Still it does not sound completely strange either to me to wait for
OpenSSL to release as we won't be able to have a full solution designed
before that.
--
Michael

In response to

Re: SCRAM with channel binding downgrade attack at 2018-06-28 08:05:23 from Peter Eisentraut

Responses

Re: SCRAM with channel binding downgrade attack at 2018-06-29 02:16:01 from Michael Paquier
TLS 1.3 and OpenSSL at 2018-06-29 20:47:00 from Peter Eisentraut

Browse pgsql-hackers by date

	From	Date	Subject
Next Message	Michael Paquier	2018-06-29 02:16:01	Re: SCRAM with channel binding downgrade attack
Previous Message	Amit Langote	2018-06-29 01:28:13	Re: Listing triggers in partitions (was Re: Remove mention in docs that foreign keys on partitioned tables)

Browse pgsql-www by date

	From	Date	Subject
Next Message	Michael Paquier	2018-06-29 02:16:01	Re: SCRAM with channel binding downgrade attack
Previous Message	Bruce Momjian	2018-06-28 12:51:47	Re: SCRAM with channel binding downgrade attack