On Fri, Sep 15, 2017 at 6:29 PM, Michael Paquier <michael.paqu...@gmail.com> wrote: > I would like to point out that per the RFC, if the client attempts a > SSL connection with SCRAM and that the server supports channel > binding, then it has to publish the SASL mechanism for channel > binding, aka SCRAM-PLUS. If the client tries to force the use of SCRAM > even if SCRAM-PLUS is specified, this is seen as a downgrade attack by > the server which must reject the connection. So this parameter has > meaning only if you try to connect to a PG10 server using a PG11 > client (assuming that channel binding gets into PG11). If you connect > with a PG11 client to a PG11 server with SSL, the server publishes > SCRAM-PLUS, the client has to use it, hence this turns out to make > cbind=disable and prefer meaningless in the long-term. If the client > does not use SSL, then there is no channel binding, and cbind=require > loses its value. So cbind's fate is actually linked to sslmode.
That seems problematic. What if the client supports SCRAM but not channel binding? -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company -- Sent via pgsql-hackers mailing list (firstname.lastname@example.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers