On Wed, Nov 29, 2017 at 7:42 AM, Peter Eisentraut <peter.eisentr...@2ndquadrant.com> wrote: > On 11/28/17 17:33, Michael Paquier wrote: >> 1) Have a special value in the parameter saslchannelbinding proposed >> in patch 0001. For example by specifying "none" then no channel >> binding is used. > > I was thinking if it's empty then don't use channel binding. Right now, > empty means the same thing as tls-unique. In any case, some variant of > that should be fine. I don't think we need a separate server option > that this point.
OK, here is a reworked version with the following changes: - renamed saslchannelbinding to scramchannelbinding, with a default set to tls-unique. - An empty value of scramchannelbinding allows client to not use channel binding, or in short use use SCRAM-SHA-256 and cbind-flag set to 'n'. While reviewing the code, I have found something a bit disturbing with the header definitions: the libpq frontend code includes scram.h, which references backend-side routines. So I think that the definition of the SCRAM mechanisms as well as the channel binding types should be moved to scram-common.h. This cleanup is included in 0001. -- Michael
0001-Move-SCRAM-related-name-definitions-to-scram-common..patch
Description: Binary data
0002-Add-connection-parameter-scramchannelbinding.patch
Description: Binary data
0003-Implement-channel-binding-tls-server-end-point-for-S.patch
Description: Binary data
