On Mon, May 1, 2017 at 08:12:51AM -0400, Robert Haas wrote: > On Tue, Apr 25, 2017 at 10:16 PM, Bruce Momjian <br...@momjian.us> wrote: > > Well, we could add "MD5 users are encouraged to switch to > > SCRAM-SHA-256". Now whether we want to list this as something on the > > SCRAM-SHA-256 description, or mention it as an incompatibility, or > > under Migration. I am not clear that MD5 is in such terrible shape that > > this is warranted. > > I think it's warranted. The continuing use of MD5 has been a headache > for some EnterpriseDB customers who have compliance requirements which > they must meet. It's not that they themselves necessarily know or > care whether MD5 is secure, although in some cases they do; it's that > if they use it, they will be breaking laws or regulations to which > their business or agency is subject. I imagine customers of other > PostgreSQL companies have similar issues. But leaving that aside, the > advantage of SCRAM isn't merely that it uses a better algorithm to > hash the password. It has other advantages also, like not being > vulnerable to replay attacks. If you're doing password > authentication, you should really be using SCRAM, and encouraging > people to move to SCRAM after upgrading is a good idea. > > That having been said, SCRAM is a wire protocol break. You will not > be able to upgrade to SCRAM unless and until the drivers you use to > connect to the database add support for it. The only such driver > that's part of libpq; other drivers that have reimplemented the > PostgreSQL wire protocol will have to be updated with SCRAM support > before it will be possible to use SCRAM with those drivers. I think > this should be mentioned in the release notes, too. I also think it > would be great if somebody would put together a wiki page listing all > the popular drivers and (1) whether they use libpq or reimplement the > wire protocol, and (2) if the latter, the status of any efforts to > implement SCRAM, and (3) if those efforts have been completed, the > version from which they support SCRAM. Then, I think we should reach > out to all of the maintainers of those driver authors who aren't > moving to support SCRAM and encourage them to do so.
I have added this as an open item because we will have to wait to see where we are with driver support as the release gets closer. -- Bruce Momjian <br...@momjian.us> http://momjian.us EnterpriseDB http://enterprisedb.com + As you are, so once was I. As I am, so you will be. + + Ancient Roman grave inscription + -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
