On 5 March 2015 at 22:39, Aaron Zauner <[email protected]> wrote: > Yep. I confused SRP with PSK ciphersuites here. There're no ciphersuites > that support PKIX and SRP. Unfortunately there's also only AES-CBC > (mac-then-encrypt) as a possible option when using SRP. > https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml
Those ciphersuites are not ideal, but exploiting padding oracles requires an auto-reconnecting client and doesn't buy you all that much. I think the direction upstream is going with SCRAM (or similar) is fine, but either new hashes are required or using a customized code base that uses MD5(password|username) where the password would normally be directly input is needed. I don't have time to write any code, but I'm happy to review schemes and code (and probably will at some point anyway). Regards, Michael _______________________________________________ Pkg-postgresql-public mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-postgresql-public
