From: | Robert Haas <robertmhaas(at)gmail(dot)com> |
---|---|
To: | Michael Paquier <michael(dot)paquier(at)gmail(dot)com> |
Cc: | Stephen Frost <sfrost(at)snowman(dot)net>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Álvaro Hernández Tortosa <aht(at)8kdata(dot)com>, "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org>, PostgreSQL JDBC List <pgsql-jdbc(at)postgresql(dot)org> |
Subject: | Re: [HACKERS] Channel binding support for SCRAM-SHA-256 |
Date: | 2017-06-02 01:25:14 |
Message-ID: | CA+TgmoZu1qgz4UTYxa8SP0yEj4VkjwoBFTuyeErOmcVEuxA8uw@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers pgsql-jdbc |
On Thu, Jun 1, 2017 at 9:13 PM, Michael Paquier
<michael(dot)paquier(at)gmail(dot)com> wrote:
> On Fri, Jun 2, 2017 at 10:08 AM, Stephen Frost <sfrost(at)snowman(dot)net> wrote:
>> What I find somewhat objectionable is the notion that if we don't have 5
>> different TLS/SSL implementations supported in PG and that we've tested
>> that channel binding works correctly among all combinations of all of
>> them, then we can't accept a patch implementing it.
>
> It seems to me that any testing in this area won't fly high as long as
> there is no way to enforce the list of TLS implementations that a
> server allows. There have been discussions about being able to control
> that after the OpenSSL vulnerabilities that were protocol-specific and
> there were even patches adding GUCs for this purpose. At the end,
> everything has been rejected as Postgres enforces the use of the
> newest one when doing the SSL handshake.
TLS implementations, or TLS versions? What does the TLS version have
to do with this issue?
--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company
From | Date | Subject | |
---|---|---|---|
Next Message | wangchuanting | 2017-06-02 01:33:30 | Re: BUG #14680: startup process on standby encounter a deadlock of TwoPhaseStateLock when redo 2PC xlog |
Previous Message | Peter Eisentraut | 2017-06-02 01:20:40 | Re: "create publication..all tables" ignore 'partition not supported' error |
From | Date | Subject | |
---|---|---|---|
Next Message | Лёсин Евгений Андреевич | 2017-06-02 11:11:35 | Error while connecting postgres db with Kerberos autentification |
Previous Message | Michael Paquier | 2017-06-02 01:13:54 | Re: [JDBC] Channel binding support for SCRAM-SHA-256 |