diff options
| author | Peter Eisentraut <peter_e@gmx.net> | 2018-01-04 15:18:39 -0500 |
|---|---|---|
| committer | Peter Eisentraut <peter_e@gmx.net> | 2018-01-04 15:29:50 -0500 |
| commit | d3fb72ea6de58d285e278459bca9d7cdf7f6a38b (patch) | |
| tree | 27a374b84f98441e85da97a68dd4d144c699f38a /doc/src | |
| parent | 39cfe86195f0b5cbc5fbe8d4e3aa6e2b0e322d0b (diff) | |
Implement channel binding tls-server-end-point for SCRAM
This adds a second standard channel binding type for SCRAM. It is
mainly intended for third-party clients that cannot implement
tls-unique, for example JDBC.
Author: Michael Paquier <michael.paquier@gmail.com>
Diffstat (limited to 'doc/src')
| -rw-r--r-- | doc/src/sgml/protocol.sgml | 17 |
1 files changed, 11 insertions, 6 deletions
diff --git a/doc/src/sgml/protocol.sgml b/doc/src/sgml/protocol.sgml index 8174e3defa7..4c5ed1e6d66 100644 --- a/doc/src/sgml/protocol.sgml +++ b/doc/src/sgml/protocol.sgml @@ -1575,9 +1575,13 @@ the password is in. <para> <firstterm>Channel binding</firstterm> is supported in PostgreSQL builds with -SSL support. The SASL mechanism name for SCRAM with channel binding -is <literal>SCRAM-SHA-256-PLUS</literal>. The only channel binding type -supported at the moment is <literal>tls-unique</literal>, defined in RFC 5929. +SSL support. The SASL mechanism name for SCRAM with channel binding is +<literal>SCRAM-SHA-256-PLUS</literal>. Two channel binding types are +supported: <literal>tls-unique</literal> and +<literal>tls-server-end-point</literal>, both defined in RFC 5929. Clients +should use <literal>tls-unique</literal> if they can support it. +<literal>tls-server-end-point</literal> is intended for third-party clients +that cannot support <literal>tls-unique</literal> for some reason. </para> <procedure> @@ -1597,9 +1601,10 @@ supported at the moment is <literal>tls-unique</literal>, defined in RFC 5929. indicates the chosen mechanism, <literal>SCRAM-SHA-256</literal> or <literal>SCRAM-SHA-256-PLUS</literal>. (A client is free to choose either mechanism, but for better security it should choose the channel-binding - variant if it can support it.) In the Initial Client response field, - the message contains the SCRAM - <structname>client-first-message</structname>. + variant if it can support it.) In the Initial Client response field, the + message contains the SCRAM <structname>client-first-message</structname>. + The <structname>client-first-message</structname> also contains the channel + binding type chosen by the client. </para> </step> <step id="scram-server-first"> |