Commit a89357e2 authored by Bruce Momjian's avatar Bruce Momjian

|--- gitweb/email subject limit -----------------|-------------|

doc:  PG 11 relnotes: remove channel binding from major features

Also move to the source code section, and expand the paragraph
parent aefb0a38
...@@ -99,13 +99,6 @@ ...@@ -99,13 +99,6 @@
</para> </para>
</listitem> </listitem>
<listitem>
<para>
Channel binding for SCRAM authentication, to prevent potential
man-in-the-middle attacks on database connections
</para>
</listitem>
<listitem> <listitem>
<para> <para>
Many other useful performance improvements, including making Many other useful performance improvements, including making
...@@ -1230,29 +1223,6 @@ same commits as above ...@@ -1230,29 +1223,6 @@ same commits as above
<listitem> <listitem>
<!-- <!--
2017-11-18 [9288d62bb] Support channel binding 'tls-unique' in SCRAM
2017-12-19 [4bbf110d2] Add libpq connection parameter "scram_channel_binding"
2018-01-04 [d3fb72ea6] Implement channel binding tls-server-end-point for SCRAM
-->
<para>
Add libpq option to support channel binding when using <link
linkend="auth-password"><acronym>SCRAM</acronym></link>
authentication (Michael Paquier)
</para>
<para>
While <acronym>SCRAM</acronym> always prevents the
replay of transmitted hashed passwords in a later
session, <acronym>SCRAM</acronym> with channel binding
also prevents man-in-the-middle attacks. The options are <link
linkend="libpq-scram-channel-binding"><option>scram_channel_binding=tls-unique</option></link>
and <option>scram_channel_binding=tls-server-end-point</option>.
</para>
</listitem>
<listitem>
<!--
2017-09-12 [83aaac41c] Allow custom search filters to be configured for LDAP au 2017-09-12 [83aaac41c] Allow custom search filters to be configured for LDAP au
--> -->
...@@ -2646,6 +2616,35 @@ same commits as above ...@@ -2646,6 +2616,35 @@ same commits as above
<listitem> <listitem>
<!-- <!--
2017-11-18 [9288d62bb] Support channel binding 'tls-unique' in SCRAM
2017-12-19 [4bbf110d2] Add libpq connection parameter "scram_channel_binding"
2018-01-04 [d3fb72ea6] Implement channel binding tls-server-end-point for SCRAM
-->
<para>
Add ability to use channel binding when using <link
linkend="auth-password"><acronym>SCRAM</acronym></link>
authentication (Michael Paquier)
</para>
<para>
While <acronym>SCRAM</acronym> always prevents the
replay of transmitted hashed passwords in a later session,
<acronym>SCRAM</acronym> with channel binding can also prevent
man-in-the-middle attacks. However, since there is no way
to <emphasis>force</emphasis> channel binding in libpq,
the feature currently does not prevent man-in-the-middle
attacks when using libpq and interfaces built using it. It is
expected that future versions of libpq and interfaces not built
using libpq, e.g. JDBC, will allow this capability. The libpq
options to control the optional channel binding type are <link
linkend="libpq-scram-channel-binding"><option>scram_channel_binding=tls-unique</option></link>
and <option>scram_channel_binding=tls-server-end-point</option>.
</para>
</listitem>
<listitem>
<!--
2018-03-03 [a351679c8] Trivial adjustments in preparation for bootstrap data co 2018-03-03 [a351679c8] Trivial adjustments in preparation for bootstrap data co
2018-04-08 [372728b0d] Replace our traditional initial-catalog-data format with 2018-04-08 [372728b0d] Replace our traditional initial-catalog-data format with
2018-04-26 [a0854f107] Avoid parsing catalog data twice during BKI file constru 2018-04-26 [a0854f107] Avoid parsing catalog data twice during BKI file constru
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment