On Thu, Oct 13, 2022 at 10:30:37AM -0700, Jacob Champion wrote:
> Is the intent to backport tls-exporter client support? Or is the
> compatibility break otherwise acceptable?
Well, I'd rather say yes thanks to the complexity avoided in the
backend as that's the most sensible piece security-wise, even if we
always require a certificate to exist in PG. A server attempting to
trick a client in downgrading would still be a problem :/
tls-exporter would be a new feature, so backporting is out of the
picture.
> It seemed like there was also some general interest in proxy TLS
> termination (see also the PROXY effort, though it has stalled a bit).
> For that, I would think tls-server-end-point is an important feature.
Oh, okay. That's an argument in favor of not doing that, then.
Perhaps we'd better revisit the introduction of tls-exporter once we
know more about all that, and it looks like we would need a way to be
able to negotiate which channel binding to use (I recall that the
surrounding RFCs allowed some extra negotiation, vaguely, but my
impression may be wrong).
--
Michael
