|
|
|
|
@ -99,13 +99,6 @@ |
|
|
|
|
</para> |
|
|
|
|
</listitem> |
|
|
|
|
|
|
|
|
|
<listitem> |
|
|
|
|
<para> |
|
|
|
|
Channel binding for SCRAM authentication, to prevent potential |
|
|
|
|
man-in-the-middle attacks on database connections |
|
|
|
|
</para> |
|
|
|
|
</listitem> |
|
|
|
|
|
|
|
|
|
<listitem> |
|
|
|
|
<para> |
|
|
|
|
Many other useful performance improvements, including making |
|
|
|
|
@ -1230,29 +1223,6 @@ same commits as above |
|
|
|
|
|
|
|
|
|
<listitem> |
|
|
|
|
<!-- |
|
|
|
|
2017-11-18 [9288d62bb] Support channel binding 'tls-unique' in SCRAM |
|
|
|
|
2017-12-19 [4bbf110d2] Add libpq connection parameter "scram_channel_binding" |
|
|
|
|
2018-01-04 [d3fb72ea6] Implement channel binding tls-server-end-point for SCRAM |
|
|
|
|
--> |
|
|
|
|
|
|
|
|
|
<para> |
|
|
|
|
Add libpq option to support channel binding when using <link |
|
|
|
|
linkend="auth-password"><acronym>SCRAM</acronym></link> |
|
|
|
|
authentication (Michael Paquier) |
|
|
|
|
</para> |
|
|
|
|
|
|
|
|
|
<para> |
|
|
|
|
While <acronym>SCRAM</acronym> always prevents the |
|
|
|
|
replay of transmitted hashed passwords in a later |
|
|
|
|
session, <acronym>SCRAM</acronym> with channel binding |
|
|
|
|
also prevents man-in-the-middle attacks. The options are <link |
|
|
|
|
linkend="libpq-scram-channel-binding"><option>scram_channel_binding=tls-unique</option></link> |
|
|
|
|
and <option>scram_channel_binding=tls-server-end-point</option>. |
|
|
|
|
</para> |
|
|
|
|
</listitem> |
|
|
|
|
|
|
|
|
|
<listitem> |
|
|
|
|
<!-- |
|
|
|
|
2017-09-12 [83aaac41c] Allow custom search filters to be configured for LDAP au |
|
|
|
|
--> |
|
|
|
|
|
|
|
|
|
@ -2646,6 +2616,35 @@ same commits as above |
|
|
|
|
|
|
|
|
|
<listitem> |
|
|
|
|
<!-- |
|
|
|
|
2017-11-18 [9288d62bb] Support channel binding 'tls-unique' in SCRAM |
|
|
|
|
2017-12-19 [4bbf110d2] Add libpq connection parameter "scram_channel_binding" |
|
|
|
|
2018-01-04 [d3fb72ea6] Implement channel binding tls-server-end-point for SCRAM |
|
|
|
|
--> |
|
|
|
|
|
|
|
|
|
<para> |
|
|
|
|
Add ability to use channel binding when using <link |
|
|
|
|
linkend="auth-password"><acronym>SCRAM</acronym></link> |
|
|
|
|
authentication (Michael Paquier) |
|
|
|
|
</para> |
|
|
|
|
|
|
|
|
|
<para> |
|
|
|
|
While <acronym>SCRAM</acronym> always prevents the |
|
|
|
|
replay of transmitted hashed passwords in a later session, |
|
|
|
|
<acronym>SCRAM</acronym> with channel binding can also prevent |
|
|
|
|
man-in-the-middle attacks. However, since there is no way |
|
|
|
|
to <emphasis>force</emphasis> channel binding in libpq, |
|
|
|
|
the feature currently does not prevent man-in-the-middle |
|
|
|
|
attacks when using libpq and interfaces built using it. It is |
|
|
|
|
expected that future versions of libpq and interfaces not built |
|
|
|
|
using libpq, e.g. JDBC, will allow this capability. The libpq |
|
|
|
|
options to control the optional channel binding type are <link |
|
|
|
|
linkend="libpq-scram-channel-binding"><option>scram_channel_binding=tls-unique</option></link> |
|
|
|
|
and <option>scram_channel_binding=tls-server-end-point</option>. |
|
|
|
|
</para> |
|
|
|
|
</listitem> |
|
|
|
|
|
|
|
|
|
<listitem> |
|
|
|
|
<!-- |
|
|
|
|
2018-03-03 [a351679c8] Trivial adjustments in preparation for bootstrap data co |
|
|
|
|
2018-04-08 [372728b0d] Replace our traditional initial-catalog-data format with |
|
|
|
|
2018-04-26 [a0854f107] Avoid parsing catalog data twice during BKI file constru |
|
|
|
|
|
Bruce Momjian
7 years ago