Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement Channel Binding #2

Closed
davecramer opened this issue Jun 1, 2018 · 10 comments
Closed

Implement Channel Binding #2

davecramer opened this issue Jun 1, 2018 · 10 comments
Assignees
@jorsol
Labels
enhancement
Milestone
SCRAM 3.0

Comments

@davecramer
Copy link

PostgreSQL 11 will have channel binding.
We'll need to extend the TLS interface to provide access to the Finished message and the peer certificate.
@davecramer davecramer mentioned this issue Jun 1, 2018
Closed
@Neustradamus
Copy link

Neustradamus commented Nov 12, 2020
edited
Loading

@davecramer, @ongres, @ahachete: It is supported no?

Linked to:

@Neustradamus Neustradamus mentioned this issue Nov 12, 2020
Closed
@Neustradamus
Copy link

@davecramer: Ping?

@davecramer
Copy link
Author

@Neustradamus this is more for @ahachete to implement

@Neustradamus
Copy link

It is official, it is here: RFC 9266: Channel Bindings for TLS 1.3:

This was referenced Nov 19, 2023
Closed
Closed
@Neustradamus
Copy link

Dear @ongres team, @ahachete,

I think that you have seen the jabber.ru MITM and Channel Binding is the solution:

Linked to:

@jorsol
Copy link
Collaborator

jorsol commented Mar 16, 2024

Status update:

Getting the channel-binding data from an external security layer such as that provided by TLS is out of the scope for implementation in this library, TLS channel-binding data can be fetched using a library dedicated like the Bouncy Castle Crypto APIs.

Having said that, the channel binding type used by PostgreSQL is tls-server-end-point, it could be fetched using Java's APIs without external libraries, and since this library was developed primarily to support SCRAM in PostgreSQL from Java, it could perfectly include a utility class to extract the cbind-data from the peer certificate.

This will be included in the next major release of the SCRAM library 3.0 which is being actively worked on, but there is no ETA for a final release yet.

@jorsol jorsol self-assigned this Mar 18, 2024
@jorsol jorsol added this to the SCRAM 3.0 milestone Mar 19, 2024
@jorsol jorsol closed this as completed Apr 3, 2024
@Neustradamus
Copy link

@jorsol: It has been solved?

@davecramer
Copy link
Author

So what do we have to do with the JDBC driver to make this work. Just update the version ?

@jorsol
Copy link
Collaborator

jorsol commented Apr 3, 2024

@jorsol: It has been solved?

For the PostgreSQL JDBC Driver use, yes.

So what do we have to do with the JDBC driver to make this work. Just update the version ?

pgjdbc/pgjdbc#3188

Right now is in draft, maven central is having sync issues and the jars are not available yet. Also need to check what the pipeline has to say and fix it.

@Neustradamus
Copy link

@jorsol: Good job about 3.0!

Important to specify in the ticket where it has been added.

@Neustradamus Neustradamus mentioned this issue Apr 3, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jorsol jorsol

Labels
enhancement
Projects
None yet
Milestone
SCRAM 3.0
Development

No branches or pull requests
3 participants
@Neustradamus @davecramer @jorsol