|
99 | 99 | </para> |
100 | 100 | </listitem> |
101 | 101 |
|
102 | | - <listitem> |
103 | | - <para> |
104 | | - Channel binding for SCRAM authentication, to prevent potential |
105 | | - man-in-the-middle attacks on database connections |
106 | | - </para> |
107 | | - </listitem> |
108 | | - |
109 | 102 | <listitem> |
110 | 103 | <para> |
111 | 104 | Many other useful performance improvements, including making |
@@ -1230,29 +1223,6 @@ same commits as above |
1230 | 1223 |
|
1231 | 1224 | <listitem> |
1232 | 1225 | <!-- |
1233 | | -2017-11-18 [9288d62bb] Support channel binding 'tls-unique' in SCRAM |
1234 | | -2017-12-19 [4bbf110d2] Add libpq connection parameter "scram_channel_binding" |
1235 | | -2018-01-04 [d3fb72ea6] Implement channel binding tls-server-end-point for SCRAM |
1236 | | ---> |
1237 | | - |
1238 | | - <para> |
1239 | | - Add libpq option to support channel binding when using <link |
1240 | | - linkend="auth-password"><acronym>SCRAM</acronym></link> |
1241 | | - authentication (Michael Paquier) |
1242 | | - </para> |
1243 | | - |
1244 | | - <para> |
1245 | | - While <acronym>SCRAM</acronym> always prevents the |
1246 | | - replay of transmitted hashed passwords in a later |
1247 | | - session, <acronym>SCRAM</acronym> with channel binding |
1248 | | - also prevents man-in-the-middle attacks. The options are <link |
1249 | | - linkend="libpq-scram-channel-binding"><option>scram_channel_binding=tls-unique</option></link> |
1250 | | - and <option>scram_channel_binding=tls-server-end-point</option>. |
1251 | | - </para> |
1252 | | - </listitem> |
1253 | | - |
1254 | | - <listitem> |
1255 | | -<!-- |
1256 | 1226 | 2017-09-12 [83aaac41c] Allow custom search filters to be configured for LDAP au |
1257 | 1227 | --> |
1258 | 1228 |
|
@@ -2646,6 +2616,35 @@ same commits as above |
2646 | 2616 |
|
2647 | 2617 | <listitem> |
2648 | 2618 | <!-- |
| 2619 | +2017-11-18 [9288d62bb] Support channel binding 'tls-unique' in SCRAM |
| 2620 | +2017-12-19 [4bbf110d2] Add libpq connection parameter "scram_channel_binding" |
| 2621 | +2018-01-04 [d3fb72ea6] Implement channel binding tls-server-end-point for SCRAM |
| 2622 | +--> |
| 2623 | + |
| 2624 | + <para> |
| 2625 | + Add ability to use channel binding when using <link |
| 2626 | + linkend="auth-password"><acronym>SCRAM</acronym></link> |
| 2627 | + authentication (Michael Paquier) |
| 2628 | + </para> |
| 2629 | + |
| 2630 | + <para> |
| 2631 | + While <acronym>SCRAM</acronym> always prevents the |
| 2632 | + replay of transmitted hashed passwords in a later session, |
| 2633 | + <acronym>SCRAM</acronym> with channel binding can also prevent |
| 2634 | + man-in-the-middle attacks. However, since there is no way |
| 2635 | + to <emphasis>force</emphasis> channel binding in libpq, |
| 2636 | + the feature currently does not prevent man-in-the-middle |
| 2637 | + attacks when using libpq and interfaces built using it. It is |
| 2638 | + expected that future versions of libpq and interfaces not built |
| 2639 | + using libpq, e.g. JDBC, will allow this capability. The libpq |
| 2640 | + options to control the optional channel binding type are <link |
| 2641 | + linkend="libpq-scram-channel-binding"><option>scram_channel_binding=tls-unique</option></link> |
| 2642 | + and <option>scram_channel_binding=tls-server-end-point</option>. |
| 2643 | + </para> |
| 2644 | + </listitem> |
| 2645 | + |
| 2646 | + <listitem> |
| 2647 | +<!-- |
2649 | 2648 | 2018-03-03 [a351679c8] Trivial adjustments in preparation for bootstrap data co |
2650 | 2649 | 2018-04-08 [372728b0d] Replace our traditional initial-catalog-data format with |
2651 | 2650 | 2018-04-26 [a0854f107] Avoid parsing catalog data twice during BKI file constru |
|