On Sun, May 13, 2018 at 03:43:08PM +0900, Michael Paquier wrote:
> On Fri, May 11, 2018 at 11:08:52AM -0400, Bruce Momjian wrote:
> > I have committed the first draft of the Postgres 11 release notes.  I
> > will add more markup soon.  You can view the most current version
> > here:
> 
> Thanks for gathering all the commits in one piece, Bruce.
> 
> > I expect a torrent of feedback.  ;-)
> 
> I looked at the entries where my name shows up.  Here is some feedback
> with HEAD at 8c6227a2 (latest as of writing this message).
> 
> <para>
>  Add information_schema columns related to table constraints and
>  triggers (Michael Paquier)
> </para>
> The author of this entry is Peter Eisentraut, not me.

Thanks, I got "Reviewed-by" and "Author" mixed up.

> <para>
>  Channel binding requires the server end
>  of the <acronym>TLS</acronym> connection to
>  prove that it knows the password.  The options are <link
>  
> linkend="libpq-scram-channel-binding"><option>scram_channel_binding=tls-unique</option></link>
>  and <option>scram_channel_binding=tls-server-end-point</option>.
> </para>
> This is not actually correct.  Channel binding is an MITM prevention
> mechanism which makes sure that after the SSL handshake the backend and
> the frontend are still connected to the same things.  "tls-unique" makes
> sure that a connection is uniquely used using a hash of the TLS finish
>  message, and end-point makes sure that the endpoints are the same using
>  a hash of the server certificate.

So, channel binding has had me confused since I first heard about it.  I
have done some research and reworded the commit with the attached first patch.

Also, I have created a second patch which actually explains the two
SCRAM channel binding options and how the work.

One question I do have is how do we prevent a fake server in the middle
from pretending it is a PG 10 server and therefore avoiding channel
binding protections?  I don't see any channel binding options in
pg_hba.conf, and while libpq has options, they are explained with "This
parameter is mainly intended for protocol testing."

> <para>
>  WHAT DOES THIS DOC TEXT MEAN?  "An empty value specifies that
>  the client will not use channel binding.  The default value
>  is tls-unique."
> </para>
> This means that the client can choose to not use channel binding (which
> sends a 'n' flag if you refer to the communication protocol of SCRAM),
> even if the server has advertised to the client channel binding.  So
> this provides a way to disable the feature at will, an on/off switch if
> you want.  If a v10 libpq tries to connect to a v11 server, then it
> won't use channel binding automatically.  That may be worth adding to
> the documentation as well.

I have updated the docs in the second patch to explain this.

> <para>
>  Allow access to file system functions to be controlled by
>  <command>GRANT</command>/<command>REVOKE</command> permissions,
>  rather than super-user checks (Michael Paquier)
> </para>
> Author is Stephen Frost here.

Done.

> <para>
>  Use <command>GRANT</command>/<command>REVOKE</command>
>  to control access to <link
>  linkend="lo-import"><function>lo_import()</function></link>
>  and <function>lo_export()</function> (Michael Paquier)
> </para>
> Tom Lane is a co-author here I think.

Done.

> <para>
>  Add libpq parameter to allow physical and logical replication
>  connections (Michael Paquier)
> </para>
> This commit has just added documentation which was missing and
> incomplete.  I would suggest to remove it from the release notes as no
> new feature has been added.

Removed.

> <para>
>  Add <link
>  linkend="app-pgreceivewal"><application>pg_receivewal</application></link>
>  option <option>--no-sync</option> to prevent synchronous
>  <acronym>WAL</acronym> writes (Michael Paquier)
> </para>
> Perhaps this should be rewritten?  --no-sync just disables any fsync
> calls for WAL segments, which is useful for tests, not recommended for
> production environments.

Done.

> <para>
>  Prevent <application>pg_rewind</application> from running as
>  <literal>root</literal> (Magnus Hagander)
> </para>
> This one's authorship is actually mine, after a bug I found :)

Done, thanks much.

-- 
  Bruce Momjian  <br...@momjian.us>        http://momjian.us
  EnterpriseDB                             http://enterprisedb.com

+ As you are, so once was I.  As I am, so you will be. +
+                      Ancient Roman grave inscription +
diff --git a/doc/src/sgml/release-11.sgml b/doc/src/sgml/release-11.sgml
new file mode 100644
index 6bde17e..763a154
*** a/doc/src/sgml/release-11.sgml
--- b/doc/src/sgml/release-11.sgml
*************** same commits as above
*** 1057,1063 ****
  
         <para>
          Add information_schema columns related to table constraints and
!         triggers (Michael Paquier)
         </para>
  
         <para>
--- 1057,1063 ----
  
         <para>
          Add information_schema columns related to table constraints and
!         triggers (Peter Eisentraut)
         </para>
  
         <para>
*************** same commits as above
*** 1091,1111 ****
         <para>
          Add libpq option to support channel binding when using <link
          linkend="auth-password"><acronym>SCRAM</acronym></link>
!         authentication (Michael Paquier)
         </para>
  
         <para>
!         Channel binding requires the server end
!         of the <acronym>TLS</acronym> connection to
!         prove that it knows the password.  The options are <link
          linkend="libpq-scram-channel-binding"><option>scram_channel_binding=tls-unique</option></link>
          and <option>scram_channel_binding=tls-server-end-point</option>.
         </para>
- 
-        <para>
-         WHAT DOES THIS DOC TEXT MEAN?  "An empty value specifies that
-         the client will not use channel binding.  The default value
-         is tls-unique."
         </para>
        </listitem>
  
--- 1091,1107 ----
         <para>
          Add libpq option to support channel binding when using <link
          linkend="auth-password"><acronym>SCRAM</acronym></link>
!         authentication (Peter Eisentraut)
         </para>
  
         <para>
!         While <acronym>SCRAM</acronym> always prevents the
!         replay of transmitted hashed passwords in a later
!         session, <acronym>SCRAM</acronym> with channel binding
!         also prevents man-in-the-middle attacks.  The options are <link
          linkend="libpq-scram-channel-binding"><option>scram_channel_binding=tls-unique</option></link>
          and <option>scram_channel_binding=tls-server-end-point</option>.
         </para>
         </para>
        </listitem>
  
*************** same commits as above
*** 1196,1202 ****
         <para>
          Allow access to file system functions to be controlled by
          <command>GRANT</command>/<command>REVOKE</command> permissions,
!         rather than super-user checks (Michael Paquier)
         </para>
  
         <para>
--- 1192,1198 ----
         <para>
          Allow access to file system functions to be controlled by
          <command>GRANT</command>/<command>REVOKE</command> permissions,
!         rather than super-user checks (Stephen Frost)
         </para>
  
         <para>
*************** same commits as above
*** 1218,1224 ****
          Use <command>GRANT</command>/<command>REVOKE</command>
          to control access to <link
          linkend="lo-import"><function>lo_import()</function></link>
!         and <function>lo_export()</function> (Michael Paquier)
         </para>
  
         <para>
--- 1214,1220 ----
          Use <command>GRANT</command>/<command>REVOKE</command>
          to control access to <link
          linkend="lo-import"><function>lo_import()</function></link>
!         and <function>lo_export()</function> (Michael Paquier, Tom Lane)
         </para>
  
         <para>
*************** same commits as above
*** 1881,1902 ****
  
        <listitem>
  <!--
- 2018-03-06 [0c2c81b40] doc: Add replication parameter to libpq documentation
- -->
- 
-        <para>
-         Add libpq parameter to allow physical and logical replication
-         connections (Michael Paquier)
-        </para>
- 
-        <para>
-         The libpq connection parameter is called <link
-         linkend="libpq-connect-replication"><option>replication</option></link>.
-        </para>
-       </listitem>
- 
-       <listitem>
- <!--
  2018-03-17 [e3bdb2d92] Set libpq sslcompression to off by default
  -->
  
--- 1877,1882 ----
*************** same commits as above
*** 2330,2336 ****
          Add <link
          linkend="app-pgreceivewal"><application>pg_receivewal</application></link>
          option <option>--no-sync</option> to prevent synchronous
!         <acronym>WAL</acronym> writes (Michael Paquier)
         </para>
        </listitem>
  
--- 2310,2316 ----
          Add <link
          linkend="app-pgreceivewal"><application>pg_receivewal</application></link>
          option <option>--no-sync</option> to prevent synchronous
!         <acronym>WAL</acronym> writes, for testing (Michael Paquier)
         </para>
        </listitem>
  
*************** same commits as above
*** 2382,2388 ****
  
         <para>
          Prevent <application>pg_rewind</application> from running as
!         <literal>root</literal> (Magnus Hagander)
         </para>
  
        </listitem>
--- 2362,2368 ----
  
         <para>
          Prevent <application>pg_rewind</application> from running as
!         <literal>root</literal> (Michael Paquier)
         </para>
  
        </listitem>
diff --git a/doc/src/sgml/libpq.sgml b/doc/src/sgml/libpq.sgml
new file mode 100644
index 800e68a..498b8df
*** a/doc/src/sgml/libpq.sgml
--- b/doc/src/sgml/libpq.sgml
*************** postgresql://%2Fvar%2Flib%2Fpostgresql/d
*** 1242,1255 ****
        <term><literal>scram_channel_binding</literal></term>
        <listitem>
         <para>
!         Specifies the channel binding type to use with SCRAM authentication.
!         The list of channel binding types supported by server are listed in
!         <xref linkend="sasl-authentication"/>.  An empty value specifies that
!         the client will not use channel binding.  The default value is
!         <literal>tls-unique</literal>.
         </para>
  
         <para>
          Channel binding is only supported on SSL connections.  If the
          connection is not using SSL, then this setting is ignored.
         </para>
--- 1242,1259 ----
        <term><literal>scram_channel_binding</literal></term>
        <listitem>
         <para>
!         Specifies the channel binding type to use with SCRAM
!         authentication.  While <acronym>SCRAM</acronym> alone prevents
!         the replay of transmitted hashed passwords, channel binding also
!         prevents man-in-the-middle attacks.
         </para>
  
         <para>
+         The list of channel binding types supported by the server are
+         listed in <xref linkend="sasl-authentication"/>.  An empty value
+         specifies that the client will not use channel binding.  If this
+         parameter is not specified, <literal>tls-unique</literal> is used,
+         if supported by both server and client.
          Channel binding is only supported on SSL connections.  If the
          connection is not using SSL, then this setting is ignored.
         </para>
diff --git a/doc/src/sgml/protocol.sgml b/doc/src/sgml/protocol.sgml
new file mode 100644
index 004b360..cfc805f
*** a/doc/src/sgml/protocol.sgml
--- b/doc/src/sgml/protocol.sgml
*************** should use <literal>tls-unique</literal>
*** 1584,1589 ****
--- 1584,1616 ----
  that cannot support <literal>tls-unique</literal> for some reason.
    </para>
  
+   <para>
+    In <acronym>SCRAM</acronym> without channel binding, the server chooses
+    a random number that is transmitted to the client to be mixed with the
+    user-supplied password in the transmitted password hash.  While this
+    prevents the password hash from being successfully retransmitted in
+    a later session, it does not prevent a fake server between the real
+    server and client from passing through the server's random value 
+    and successfully authenticating.
+   </para>
+ 
+   <para>
+    <acronym>SCRAM</acronym> with channel binding prevents such
+    man-in-the-middle attacks by mixing a value into the transmitted
+    password hash that cannot be retransmitted by a fake server.
+    In <acronym>SCRAM</acronym> with <literal>tls-unique</literal>
+    channel binding, the shared secret negotiated during the SSL session
+    is mixed into the user-supplied password hash.  The shared secret
+    is partly chosen by the server, but not directly transmitted, making
+    it impossible for a fake server to create an SSL connection with the
+    client that has the same shared secret it has with the real server.
+    <acronym>SCRAM</acronym> with <literal>tls-server-end-point</literal>
+    mixes a hash of the server's certificate into the user-supplied password
+    hash.  While a fake server can retransmit the real server's certificate,
+    it doesn't have access to the private key matching that certificate, and
+    therefore cannot prove it is the owner, causing SSL connection failure.
+   </para>
+ 
  <procedure>
  <title>Example</title>
    <step id="scram-begin">

Reply via email to