|--- gitweb/email subject limit -----------------|-------------|
doc: PG 11 relnotes: remove channel binding from major features Also move to the source code section, and expand the paragraph
This commit is contained in:
Bruce Momjian
parent
aefb0a382c
commit
a89357e2f7
|
|
@ -99,13 +99,6 @@
|
|||
</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>
|
||||
Channel binding for SCRAM authentication, to prevent potential
|
||||
man-in-the-middle attacks on database connections
|
||||
</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>
|
||||
Many other useful performance improvements, including making
|
||||
|
|
@ -1230,29 +1223,6 @@ same commits as above
|
|||
|
||||
<listitem>
|
||||
<!--
|
||||
2017-11-18 [9288d62bb] Support channel binding 'tls-unique' in SCRAM
|
||||
2017-12-19 [4bbf110d2] Add libpq connection parameter "scram_channel_binding"
|
||||
2018-01-04 [d3fb72ea6] Implement channel binding tls-server-end-point for SCRAM
|
||||
-->
|
||||
|
||||
<para>
|
||||
Add libpq option to support channel binding when using <link
|
||||
linkend="auth-password"><acronym>SCRAM</acronym></link>
|
||||
authentication (Michael Paquier)
|
||||
</para>
|
||||
|
||||
<para>
|
||||
While <acronym>SCRAM</acronym> always prevents the
|
||||
replay of transmitted hashed passwords in a later
|
||||
session, <acronym>SCRAM</acronym> with channel binding
|
||||
also prevents man-in-the-middle attacks. The options are <link
|
||||
linkend="libpq-scram-channel-binding"><option>scram_channel_binding=tls-unique</option></link>
|
||||
and <option>scram_channel_binding=tls-server-end-point</option>.
|
||||
</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<!--
|
||||
2017-09-12 [83aaac41c] Allow custom search filters to be configured for LDAP au
|
||||
-->
|
||||
|
||||
|
|
@ -2646,6 +2616,35 @@ same commits as above
|
|||
|
||||
<listitem>
|
||||
<!--
|
||||
2017-11-18 [9288d62bb] Support channel binding 'tls-unique' in SCRAM
|
||||
2017-12-19 [4bbf110d2] Add libpq connection parameter "scram_channel_binding"
|
||||
2018-01-04 [d3fb72ea6] Implement channel binding tls-server-end-point for SCRAM
|
||||
-->
|
||||
|
||||
<para>
|
||||
Add ability to use channel binding when using <link
|
||||
linkend="auth-password"><acronym>SCRAM</acronym></link>
|
||||
authentication (Michael Paquier)
|
||||
</para>
|
||||
|
||||
<para>
|
||||
While <acronym>SCRAM</acronym> always prevents the
|
||||
replay of transmitted hashed passwords in a later session,
|
||||
<acronym>SCRAM</acronym> with channel binding can also prevent
|
||||
man-in-the-middle attacks. However, since there is no way
|
||||
to <emphasis>force</emphasis> channel binding in libpq,
|
||||
the feature currently does not prevent man-in-the-middle
|
||||
attacks when using libpq and interfaces built using it. It is
|
||||
expected that future versions of libpq and interfaces not built
|
||||
using libpq, e.g. JDBC, will allow this capability. The libpq
|
||||
options to control the optional channel binding type are <link
|
||||
linkend="libpq-scram-channel-binding"><option>scram_channel_binding=tls-unique</option></link>
|
||||
and <option>scram_channel_binding=tls-server-end-point</option>.
|
||||
</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<!--
|
||||
2018-03-03 [a351679c8] Trivial adjustments in preparation for bootstrap data co
|
||||
2018-04-08 [372728b0d] Replace our traditional initial-catalog-data format with
|
||||
2018-04-26 [a0854f107] Avoid parsing catalog data twice during BKI file constru
|
||||
|
|
|
|||
Loading…
Reference in New Issue