Re: RFC 9266: Channel Bindings for TLS 1.3 support

On Thu, Nov 20, 2025 at 11:52:07PM +0200, Heikki Linnakangas wrote:
> > After the jabber.ru MITM, it is time to add it:
>
> PostgreSQL does support channel binding, with tls-server-end-point. I
> believe that sufficient to prevent an attack like that. (Assuming that it's
> configured correctly, but that's an issue of insecure defaults rather than a
> missing feature).

Yes, tls-server-end-point is sufficient.

> What are the benefits of tls-exporter over tls-server-end-point? I agree it
> would be good to support tls-exporter, since RFC9266 specifies it as
> mandatory for channel binding over TLS 1.3. But aside from the RFC, is there
> some practical difference?

tls-server-end-point suffers from a design problem: it assumes that
signature algorithms have an asssociated digest function, but this turns
out not to be true, and so for some signature algorithms the tls-server-
end-point CB data are undefined :( (you can blame me and my co-authors
for this). Using the exporter-based CB you will not have this problem.

The main benefit of "end-point"-style CB data is that it's easier to
deal with server-side ("reverse") proxies. That's primarily a benefit
for HTTP applications, and almost certainly not relevant to PG (unless
there _are_ reverse proxies for PG -- are there?).

(It _was_ also easier to implement end-point CB when the TLS library
doesn't support the exporter -- that was a problem 15 years ago, but not
now.)

Nico
--