From: | Stephen Frost <sfrost(at)snowman(dot)net> |
---|---|
To: | Michael Paquier <michael(dot)paquier(at)gmail(dot)com> |
Cc: | Robert Haas <robertmhaas(at)gmail(dot)com>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Álvaro Hernández Tortosa <aht(at)8kdata(dot)com>, "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org>, PostgreSQL JDBC List <pgsql-jdbc(at)postgresql(dot)org> |
Subject: | Re: [HACKERS] Channel binding support for SCRAM-SHA-256 |
Date: | 2017-06-06 12:29:25 |
Message-ID: | 20170606122925.GO3151@tamriel.snowman.net |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers pgsql-jdbc |
Michael,
* Michael Paquier (michael(dot)paquier(at)gmail(dot)com) wrote:
> On Fri, Jun 2, 2017 at 10:25 AM, Robert Haas <robertmhaas(at)gmail(dot)com> wrote:
> > On Thu, Jun 1, 2017 at 9:13 PM, Michael Paquier
> > <michael(dot)paquier(at)gmail(dot)com> wrote:
> >> It seems to me that any testing in this area won't fly high as long as
> >> there is no way to enforce the list of TLS implementations that a
> >> server allows. There have been discussions about being able to control
> >> that after the OpenSSL vulnerabilities that were protocol-specific and
> >> there were even patches adding GUCs for this purpose. At the end,
> >> everything has been rejected as Postgres enforces the use of the
> >> newest one when doing the SSL handshake.
> >
> > TLS implementations, or TLS versions? What does the TLS version have
> > to do with this issue?
>
> I really mean *version* here. Unlike OpenSSL, the Windows TLS
> implementation does not offer an API to choose the latest TLS version
> available:
> https://msdn.microsoft.com/en-us/library/windows/desktop/aa380513(v=vs.85).aspx
> It is up to the server and the client to negotiate that, so it seems
> to me that we want some control in this area, which would be important
> for testing as well because the TLS finish message differs a bit
> across versions, in length mainly. On top of that per the aggressive
> updates that Windows does from time to time they may as well forcibly
> expose users to a broken TLS implementation...
> MacOS has something similar to OpenSSL, with
> SSLGetProtocolVersionMax(), which is nice.
We mainly need to know what version was used, right..? Isn't that
available?
Thanks!
Stephen
From | Date | Subject | |
---|---|---|---|
Next Message | Bruce Momjian | 2017-06-06 12:29:29 | Re: Challenges preventing us moving to 64 bit transaction id (XID)? |
Previous Message | Petr Jelinek | 2017-06-06 10:51:17 | Re: inconsistent application_name use in logical workers |
From | Date | Subject | |
---|---|---|---|
Next Message | Robert Haas | 2017-06-06 15:35:49 | Re: [JDBC] Channel binding support for SCRAM-SHA-256 |
Previous Message | Michael Paquier | 2017-06-06 06:40:05 | Re: [HACKERS] Channel binding support for SCRAM-SHA-256 |