Home > mailing lists

Re: RFC 9266: Channel Bindings for TLS 1.3 support - Mailing list pgsql-hackers

From	Jacob Champion
Subject	Re: RFC 9266: Channel Bindings for TLS 1.3 support
Date	November 21 19:18:41
Msg-id	CAOYmi+ku23HywDuYpQC7zcwGLFoiqm9-HpdpVErrUrpWQ3ZFug@mail.gmail.com Whole thread Raw
In response to	Re: RFC 9266: Channel Bindings for TLS 1.3 support (Heikki Linnakangas <hlinnaka@iki.fi>)
List	pgsql-hackers

Tree view

On Fri, Nov 21, 2025 at 12:46 AM Heikki Linnakangas <hlinnaka@iki.fi> wrote:
> If I understood the incident correctly, the attacker managed to somehow
> obtain a valid TLS certificate for the victim domain. They used that to
> perform a MITM attack. They did not have the server's private key. (Or
> if they did, they did not use that for the attack).

Oh! Thank you for pointing that out. Yeah, having the private key for
*a* host certificate shouldn't help you if it doesn't have the same
public fingerprint as the one in use at the peer. (I'm not sure I
really internalized that distinction before.)

--Jacob

pgsql-hackers by date:

From: Tom Lane
Date: 21 November, 19:16:21
Subject: Re: change default default_toast_compression to lz4?

From: 河田達也
Date: 21 November, 19:25:58
Subject: Re: [PATCH] Add memory usage reporting to VACUUM VERBOSE

Re: RFC 9266: Channel Bindings for TLS 1.3 support - Mailing list pgsql-hackers

Previous

Next