Home > mailing lists

Re: Docs: Encourage strong server verification with SCRAM - Mailing list pgsql-hackers

From	Jonathan S. Katz
Subject	Re: Docs: Encourage strong server verification with SCRAM
Date	May 28, 2023 21:21:53
Msg-id	4ef7e9fc-126a-3be9-3165-6fdb4153381a@postgresql.org Whole thread Raw
In response to	Re: Docs: Encourage strong server verification with SCRAM (Jacob Champion <jchampion@timescale.com>)
Responses	Re: Docs: Encourage strong server verification with SCRAM Re: Docs: Encourage strong server verification with SCRAM
List	pgsql-hackers

Tree view

On 5/26/23 6:47 PM, Jacob Champion wrote:
> On Thu, May 25, 2023 at 6:10 PM Jonathan S. Katz <jkatz@postgresql.org> wrote:

>> +   To prevent server spoofing from occurring when using
>> +   <link linkend="auth-password">scram-sha-256</link> password authentication
>> +   over a network, you should ensure you are connecting using SSL.
> 
> seems to backtrack on the recommendation -- you have to use
> sslmode=verify-full, not just SSL, to avoid handing a weak(er) hash to
> an untrusted party.

The above assumes that the reader reviewed the previous paragraph and 
followed the guidelines there. However, we can make it explicit. Please 
see attached.

Thanks,

Jonathan

Attachment

pgsql-hackers by date:

From: Peter Geoghegan
Date: 28 May 2023, 19:34:23
Subject: Re: abi-compliance-checker

From: David Rowley
Date: 29 May 2023, 00:42:05
Subject: Re: benchmark results comparing versions 15.2 and 16

Re: Docs: Encourage strong server verification with SCRAM - Mailing list pgsql-hackers

Attachment

Previous

Next