Re: Postgres 11 release notes - Mailing list pgsql-hackers

From Michael Paquier
Subject Re: Postgres 11 release notes
Date
Msg-id 20180516115923.GB14835@paquier.xyz
Whole thread Raw
In response to Re: Postgres 11 release notes  (Heikki Linnakangas <hlinnaka@iki.fi>)
Responses Re: Postgres 11 release notes
List pgsql-hackers
On Wed, May 16, 2018 at 01:09:07PM +0300, Heikki Linnakangas wrote:
> I have to agree with Bruce, that it's pretty useless to implement channel
> binding, if there is no way to require it in libpq. IMHO that must be
> fixed.

Wouldn't we want to also do something for the case where a client is
willing to use SCRAM but that the server forces back MD5?  In which
case, one possibility is a connection parameter like the following,
named say authmethod:
- An empty value is equivalent to the current behavior, and is the
default.
- 'scram' means that client is willing to use SCRAM, which would cause a
failure if server attempts to enforce MD5.
- 'scram-plus' means that client enforces SCRAM and channel binding.

Or we could just have a channel_binding_mode, which has a "require"
value like sslmode, and "prefer" mode, which is the default and the
current behavior...  Still what to do with MD5 requests in this case?
--
Michael

Attachment

pgsql-hackers by date:

Previous
From: Arthur Zakirov
Date:
Subject: Re: [PROPOSAL] Shared Ispell dictionaries
Next
From: Stas Kelvich
Date:
Subject: Re: Global snapshots