| From: | Robert Haas <robertmhaas(at)gmail(dot)com> |
|---|---|
| To: | Álvaro Hernández Tortosa <aht(at)8kdata(dot)com> |
| Cc: | "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org>, PostgreSQL JDBC List <pgsql-jdbc(at)postgresql(dot)org> |
| Subject: | Re: [HACKERS] Channel binding support for SCRAM-SHA-256 |
| Date: | 2017-05-30 14:37:53 |
| Message-ID: | CA+TgmoaFxzTJ0Rmya8PkW0ZLV8wF95Cj1Cvts7aFxoxKF1aO9g@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers pgsql-jdbc |
On Sat, May 27, 2017 at 5:59 PM, Álvaro Hernández Tortosa
<aht(at)8kdata(dot)com> wrote:
> - tls-unique, as you mentioned, uses two undocumented APIs. This raises a
> small flag about the stability and future of those APIs.
It seems to me that the question is not just whether those APIs will
be available in future versions of OpenSSL, but whether they will be
available in every current and future version of every SSL
implementation that we may wish to use in core or that any client may
wish to use. We've talked before about being able to use the Windows
native SSL implementation rather than OpenSSL and it seems that there
would be significant advantages in having that capability. Meanwhile,
a client that reimplements the PostgreSQL wire protocol is free to use
any SSL implementation it likes. If channel binding can't work unless
both sides are speaking OpenSSL, then I'd say we've blown it.
Also, Heikki pointed out in his PGCon talk that there's currently no
way for libpq to insist on the use of SCRAM rather than plain password
authentication or md5. So, if someone trojans the server, they only
need to hack it to ask the client for plaintext authentication rather
than SCRAM and the client will cheerfully hand over the password with
no questions asked. Presumably, we need to add a connection option to
insist (a) on SCRAM or (b) SCRAM + channel binding, or else this isn't
going to actually provide us with any increased security. Even
without that, channel binding will still let the server verify that
it's really connected to the client, but that's not really doing much
for us in terms of security because the client (who has the password)
can always let someone else impersonate it perfectly by just handing
over the password. Channel binding can't prevent that. It *could*
prevent someone from impersonating the *server* but not if the server
can disable the check whenever it likes by ceasing to advertise
channel binding as an available option -- with no notification to the
client that anything has changed.
--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Bruce Momjian | 2017-05-30 14:41:53 | Re: Use of non-restart-safe storage by temp_tablespaces |
| Previous Message | Tom Lane | 2017-05-30 14:12:46 | Re: [HACKERS] [PATCH] relocation truncated to fit: citus build failure on s390x |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2017-05-30 14:50:22 | Re: [HACKERS] Channel binding support for SCRAM-SHA-256 |
| Previous Message | Dave Cramer | 2017-05-30 01:28:33 | [pgjdbc/pgjdbc] 2d0bfc: fix javadoc complaints and some small edits to rep... |