On 05/10/2018 19:01, Bruce Momjian wrote: > On Fri, Oct 5, 2018 at 04:53:34PM +0200, Peter Eisentraut wrote: >> On 23/05/2018 08:46, Heikki Linnakangas wrote: >>> "tls-unique" and "tls-server-end-point" are overly technical to users. >>> They don't care which one is used, there's no difference in security. >> >> A question was raised about this in a recent user group meeting. >> >> When someone steals the server certificate from the real database server >> and sets up a MITM with that certificate, this would pass >> tls-server-end-point channel binding, because both the MITM and the real >> server have the same certificate. But with tls-unique they would have >> different channel binding data, so the channel binding would detect this. >> >> Is that not correct? > > Not correct. First, they need to steal the server certificate and > _private_ key that goes with the certificate to impersonate the owner of > the certificate.
Right, I meant to imply that. > If that happens, with tls-server-end-point, a MITM > could replay what the real server sends to the MITM. You are right that > tls-unique makes it harder for a MITM to reproduce the TLS shared key > which is mixed with the password hash to prove the server knows the > password hash. So you appear to be saying the above *is* correct? -- Peter Eisentraut http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
