Re: Postgres 11 release notes

From: Michael Paquier <michael(at)paquier(dot)xyz>
To: Bruce Momjian <bruce(at)momjian(dot)us>
Cc: Heikki Linnakangas <hlinnaka(at)iki(dot)fi>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org>, Magnus Hagander <magnus(at)hagander(dot)net>, Stephen Frost <sfrost(at)snowman(dot)net>
Subject: Re: Postgres 11 release notes
Date: 2018-05-17 00:56:49
Message-ID: 20180517005649.GB2144@paquier.xyz
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers pgsql-www

On Wed, May 16, 2018 at 08:20:49PM -0400, Bruce Momjian wrote:
> SCRAM-with-binding is the first password method that attempts to avoid
> man-in-the-middle attacks, and therefore is much less likely to be able
> to trust what the endpoints supports. I think it is really the
> channel_binding_mode that we want to control at the client. The lesser
> modes are much more reasonable to use an automatic best-supported
> negotiation, which is what we do now.

Noted. Which means that the parameter is ignored when using a non-SSL
connection, as well as when the server tries to enforce the use of
anything else than SCRAM.

> FYI, I think the server could also require channel binding for SCRAM. We
> already have scram-sha-256 in pg_hba.conf, and I think
> scram-sha-256-plus would be reasonable.

Noted as well. There is of course the question of v10 libpq versions
which don't support channel binding, but if an admin is willing to set
up scram-sha-256-plus in pg_hba.conf then he can request his users to
update his drivers/libs as well.

What's the take of others? Magnus, Stephen or Heikki perhaps (you've
been the most involved with SCRAM early talks)?
--
Michael

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Bruce Momjian 2018-05-17 01:09:22 Re: Postgres 11 release notes
Previous Message Michael Paquier 2018-05-17 00:47:55 Re: Odd procedure resolution

Browse pgsql-www by date

  From Date Subject
Next Message Bruce Momjian 2018-05-17 01:09:22 Re: Postgres 11 release notes
Previous Message Bruce Momjian 2018-05-17 00:29:18 Re: Postgres 11 release notes