On Thu, Sep 14, 2017 at 12:58 PM, Peter Eisentraut <peter.eisentr...@2ndquadrant.com> wrote: > Second thoughts, to make things simpler. All we need for channel > binding is a connection flag that says "I require channel binding". It > could be modeled after the sslmode parameter, e.g., cbind=disable (maybe > for debugging), cbind=prefer (default), cbind=require. If you specify > "require", then libpq would refuse to proceed unless scram-sha2-256-plus > (or future similar mechanisms) was offered for authentication.
+1, although I think cbind is too brief. I'd spell it out. > We don't even need a parameter that specifies which channel binding type > to use. If libpq implements tls-unique, it should always use that. We > might need a flag for testing other types, but that should not be an > in-the-user's-face option. I'm not so sure about this part. Why don't we want to let users control this? -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
