sharpetronics/PostgreSQL
1
0
Fork 0
mirror of https://github.com/postgres/postgres.git synced 2025-10-31 00:03:57 -04:00
Code Issues Projects Releases Wiki Activity

|--- gitweb/email subject limit -----------------|-------------|

Browse Source 
doc:  PG 11 relnotes: remove channel binding from major features

Also move to the source code section, and expand the paragraph
This commit is contained in:
Bruce Momjian 2018-06-26 14:31:57 -04:00
parent aefb0a382c
commit a89357e2f7
1 changed files with 29 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

59
doc/src/sgml/release-11.sgml
View File

@ -99,13 +99,6 @@
</para> </para>
</listitem> </listitem>
<listitem>
<para>
Channel binding for SCRAM authentication, to prevent potential
man-in-the-middle attacks on database connections
</para>
</listitem>
<listitem> <listitem>
<para> <para>
Many other useful performance improvements, including making Many other useful performance improvements, including making
@ -1230,29 +1223,6 @@ same commits as above
<listitem> <listitem>
<!-- <!--
2017-11-18 [9288d62bb] Support channel binding 'tls-unique' in SCRAM
2017-12-19 [4bbf110d2] Add libpq connection parameter "scram_channel_binding"
2018-01-04 [d3fb72ea6] Implement channel binding tls-server-end-point for SCRAM
-->
<para>
Add libpq option to support channel binding when using <link
linkend="auth-password"><acronym>SCRAM</acronym></link>
authentication (Michael Paquier)
</para>
<para>
While <acronym>SCRAM</acronym> always prevents the
replay of transmitted hashed passwords in a later
session, <acronym>SCRAM</acronym> with channel binding
also prevents man-in-the-middle attacks. The options are <link
linkend="libpq-scram-channel-binding"><option>scram_channel_binding=tls-unique</option></link>
and <option>scram_channel_binding=tls-server-end-point</option>.
</para>
</listitem>
<listitem>
<!--
2017-09-12 [83aaac41c] Allow custom search filters to be configured for LDAP au 2017-09-12 [83aaac41c] Allow custom search filters to be configured for LDAP au
--> -->
@ -2646,6 +2616,35 @@ same commits as above
<listitem> <listitem>
<!-- <!--
2017-11-18 [9288d62bb] Support channel binding 'tls-unique' in SCRAM
2017-12-19 [4bbf110d2] Add libpq connection parameter "scram_channel_binding"
2018-01-04 [d3fb72ea6] Implement channel binding tls-server-end-point for SCRAM
-->
<para>
Add ability to use channel binding when using <link
linkend="auth-password"><acronym>SCRAM</acronym></link>
authentication (Michael Paquier)
</para>
<para>
While <acronym>SCRAM</acronym> always prevents the
replay of transmitted hashed passwords in a later session,
<acronym>SCRAM</acronym> with channel binding can also prevent
man-in-the-middle attacks. However, since there is no way
to <emphasis>force</emphasis> channel binding in libpq,
the feature currently does not prevent man-in-the-middle
attacks when using libpq and interfaces built using it. It is
expected that future versions of libpq and interfaces not built
using libpq, e.g. JDBC, will allow this capability. The libpq
options to control the optional channel binding type are <link
linkend="libpq-scram-channel-binding"><option>scram_channel_binding=tls-unique</option></link>
and <option>scram_channel_binding=tls-server-end-point</option>.
</para>
</listitem>
<listitem>
<!--
2018-03-03 [a351679c8] Trivial adjustments in preparation for bootstrap data co 2018-03-03 [a351679c8] Trivial adjustments in preparation for bootstrap data co
2018-04-08 [372728b0d] Replace our traditional initial-catalog-data format with 2018-04-08 [372728b0d] Replace our traditional initial-catalog-data format with
2018-04-26 [a0854f107] Avoid parsing catalog data twice during BKI file constru 2018-04-26 [a0854f107] Avoid parsing catalog data twice during BKI file constru