Re: Channel binding

From: Bruce Momjian <bruce(at)momjian(dot)us>
To: Michael Paquier <michael(at)paquier(dot)xyz>
Cc: PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: Channel binding
Date: 2019-02-16 03:21:12
Message-ID: 20190216032112.GA2770@momjian.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

On Sat, Feb 16, 2019 at 10:12:19AM +0900, Michael Paquier wrote:
> On Fri, Feb 15, 2019 at 04:17:07PM -0500, Bruce Momjian wrote:
> > We removed channel binding from PG 11 in August of 2018 because we were
> > concerned about downgrade attacks. Are there any plans to enable it for
> > PG 12?
>
> The original implementation of channel binding for SCRAM has included
> support for two channel binding types: tls-unique and
> tls-server-end-point. The original implementation also had a
> connection parameter called scram_channel_binding to control the
> channel binding type to use or to disable it.
>
> What has been removed via 7729113 are tls-unique and the libpq
> parameter, and we still have basic channel binding support. The
> reasons behind that is that tls-unique future is uncertain as of TLS
> 1.3, and that tls-server-end-point will still be supported. This also
> simplified the protocol as it is not necessary to let the client
> decide which channel binding to use.

Well, my point was that this features was considered to be very
important for PG 11, but for some reason there has been no advancement
of this features for PG 12.

--
Bruce Momjian <bruce(at)momjian(dot)us> http://momjian.us
EnterpriseDB http://enterprisedb.com

+ As you are, so once was I. As I am, so you will be. +
+ Ancient Roman grave inscription +

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Andres Freund 2019-02-16 03:33:59 Re: Copy function for logical replication slots
Previous Message Andres Freund 2019-02-16 03:13:23 Re: [HACKERS] Restricting maximum keep segments by repslots