On Thu, Oct 13, 2022 at 10:30:37AM -0700, Jacob Champion wrote: > Is the intent to backport tls-exporter client support? Or is the > compatibility break otherwise acceptable?
Well, I'd rather say yes thanks to the complexity avoided in the backend as that's the most sensible piece security-wise, even if we always require a certificate to exist in PG. A server attempting to trick a client in downgrading would still be a problem :/ tls-exporter would be a new feature, so backporting is out of the picture. > It seemed like there was also some general interest in proxy TLS > termination (see also the PROXY effort, though it has stalled a bit). > For that, I would think tls-server-end-point is an important feature. Oh, okay. That's an argument in favor of not doing that, then. Perhaps we'd better revisit the introduction of tls-exporter once we know more about all that, and it looks like we would need a way to be able to negotiate which channel binding to use (I recall that the surrounding RFCs allowed some extra negotiation, vaguely, but my impression may be wrong). -- Michael
signature.asc
Description: PGP signature