Home > mailing lists

Re: RFC 9266: Channel Bindings for TLS 1.3 support - Mailing list pgsql-hackers

From	Jacob Champion
Subject	Re: RFC 9266: Channel Bindings for TLS 1.3 support
Date	November 21 00:59:22
Msg-id	CAOYmi+k0N+fcrW=xz_bshwzjM5CkSFUzKjTa+xeoyohkXD8doQ@mail.gmail.com Whole thread Raw
In response to	Re: RFC 9266: Channel Bindings for TLS 1.3 support (Heikki Linnakangas <hlinnaka@iki.fi>)
List	pgsql-hackers

Tree view

On Thu, Nov 20, 2025 at 1:52 PM Heikki Linnakangas <hlinnaka@iki.fi> wrote:
> PostgreSQL does support channel binding, with tls-server-end-point. I
> believe that sufficient to prevent an attack like that.

No, IIRC unique bindings (-unique and -exporter) prevent MITM even if
the attacker has the server's private key, as long as they do not also
possess the SCRAM verifiers. tls-server-end-point does not prevent
against that (so you can terminate TLS on a different node from the
verifiers).

--Jacob

pgsql-hackers by date:

From: Tom Lane
Date: 21 November, 00:58:13
Subject: Re: Clarification on when _PG_init() is invoked for extensions

From: Peter Eisentraut
Date: 21 November, 01:00:13
Subject: Re: [PATCH] Fix ARM64/MSVC atomic memory ordering issues on Win11 by adding explicit DMB barriers

Re: RFC 9266: Channel Bindings for TLS 1.3 support - Mailing list pgsql-hackers

Previous

Next