Re: Negotiating the SCRAM channel binding type
Michael Paquier <michael@paquier.xyz>
From: Michael Paquier <michael@paquier.xyz>
To: Heikki Linnakangas <hlinnaka@iki.fi>
Cc: pgsql-hackers <pgsql-hackers@postgresql.org>
Date: 2018-07-12T13:08:18Z
Lists: pgsql-hackers
On Thu, Jul 12, 2018 at 12:34:51PM +0300, Heikki Linnakangas wrote: > Meh. We're not going implement tls-unique, anyway, in some of the upcoming > non-OpenSSL TLS implementations that don't support it. True enough. Only GnuTLS supports it: https://www.gnutls.org/manual/html_node/Channel-Bindings.html > Hmm. That is actually in a section called "Default Channel Binding". And the > first paragraph says "A default channel binding type agreement process for > all SASL application protocols that do not provide their own channel binding > type agreement is provided as follows". Given that, it's not entirely clear > to me if the requirement to support tls-unique is for all implementations of > SCRAM, or only those applications that don't provide their own channel > binding type agreement. I am not sure, but I get that as tls-unique must be the default if available, so if it is technically possible to have it we should have it in priority. If not, then a channel binding type which is supported by both the server and the client can be chosen. -- Michael
Commits
-
Remove support for tls-unique channel binding.
- 1b7378b3d689 11.0 landed
- 77291139c7c1 12.0 landed