On 9/12/17 19:03, Michael Paquier wrote: > Once channel binding is involved though.. This needs to be extended > and this needs careful thoughts: > * "scram-sha-256" means that the version without channel binding is > accepted. "!scram-sha-256" means that scram without channel binding is > refused. > * "scram-sha-256-plus" means that all channel bindings are accepted. > "!scram-sha-256-plus" means that no channel binding are accepted. > After that there is some filtering per channel binding name. Do we > want a separate parameter or just filter with longer names like > "scram-sha-256-plus-tls-unique" and > "scram-sha-256-plus-tls-server-end-point"? The last one gets > particularly long, this does not help users with typos :)
Second thoughts, to make things simpler. All we need for channel binding is a connection flag that says "I require channel binding". It could be modeled after the sslmode parameter, e.g., cbind=disable (maybe for debugging), cbind=prefer (default), cbind=require. If you specify "require", then libpq would refuse to proceed unless scram-sha2-256-plus (or future similar mechanisms) was offered for authentication. We don't even need a parameter that specifies which channel binding type to use. If libpq implements tls-unique, it should always use that. We might need a flag for testing other types, but that should not be an in-the-user's-face option. -- Peter Eisentraut http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers