From: | Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com> |
---|---|
To: | Alvaro Herrera <alvherre(at)2ndquadrant(dot)com>, Michael Paquier <michael(at)paquier(dot)xyz> |
Cc: | Heikki Linnakangas <hlinnaka(at)iki(dot)fi>, Postgres hackers <pgsql-hackers(at)postgresql(dot)org>, sfackler(at)gmail(dot)com |
Subject: | Re: Supporting tls-server-end-point as SCRAM channel binding for OpenSSL 1.0.0 and 1.0.1 |
Date: | 2018-06-06 19:37:12 |
Message-ID: | fd7bcec7-19c8-7a7f-f72c-68a237733b04@2ndquadrant.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On 6/6/18 12:37, Alvaro Herrera wrote:
> If SCRAM channel binding is an important aspect to security, and the
> older OpenSSL versions will still be around in servers for some time
> yet, it seems like it behooves us to go the extra mile and provide an
> implementation that works with such existing servers. Looking at
> yum.postgresql.org, we seem to offer Postgres 11 packages for RHEL 6,
> which appears to have openssl 1.0.0.
There are two channel binding types: tls-unique and
tls-server-end-point. Of the two, tls-unique is the "better" one. We
do support that without a problem. tls-server-end-point is for SSL
implementations that cannot support tls-unique, because the SSL library
does not expose the required information. Most prominently, this is for
JDBC.
So currently, we support channel binding using tls-unique just fine
between libpq and a server. And we support tls-server-end-point between
JDBC and a server using new-ish OpenSSL. We don't support any channel
binding between for example JDBC and a server on CentOS 6. But that's
not a regression, it's just not there.
As Heikki was saying, the proposed patch seems to tread into the
portability problem territory that caused the previous attempt to fail
and had to be reverted. I am not that interested in trying that again
without new insights. I don't think we are going to do ourselves a
favor if we start meddling with that again. There are dozens of OpenSSL
variants out there, and the version history is nonlinear.
--
Peter Eisentraut http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
From | Date | Subject | |
---|---|---|---|
Next Message | Heikki Linnakangas | 2018-06-06 19:37:51 | Re: Bug in either collation docs or code |
Previous Message | Andrew Dunstan | 2018-06-06 19:30:40 | Re: buildfarm vs code |