|--- gitweb/email subject limit -----------------|-------------|

doc: PG 11 relnotes: remove channel binding from major features Also move to the source code section, and expand the paragraph
2025-04-27 22:56:53 +03:00 · 2018-06-26 14:31:57 -04:00 · 2018-06-26 14:31:57 -04:00 · a89357e2f7
commit a89357e2f7
parent aefb0a382c
1 changed files with 29 additions and 30 deletions
--- a/doc/src/sgml/release-11.sgml
+++ b/doc/src/sgml/release-11.sgml
@ -99,13 +99,6 @@
     </para>
    </listitem>

-    <listitem>
-     <para>
-      Channel binding for SCRAM authentication, to prevent potential
-      man-in-the-middle attacks on database connections
-     </para>
-    </listitem>
-
    <listitem>
     <para>
      Many other useful performance improvements, including making
@ -1230,29 +1223,6 @@ same commits as above

      <listitem>
 <!--
-2017-11-18 [9288d62bb] Support channel binding 'tls-unique' in SCRAM
-2017-12-19 [4bbf110d2] Add libpq connection parameter "scram_channel_binding"
-2018-01-04 [d3fb72ea6] Implement channel binding tls-server-end-point for SCRAM
-->
-
-       <para>
-        Add libpq option to support channel binding when using <link
-        linkend="auth-password"><acronym>SCRAM</acronym></link>
-        authentication (Michael Paquier)
-       </para>
-
-       <para>
-        While <acronym>SCRAM</acronym> always prevents the
-        replay of transmitted hashed passwords in a later
-        session, <acronym>SCRAM</acronym> with channel binding
-        also prevents man-in-the-middle attacks.  The options are <link
-        linkend="libpq-scram-channel-binding"><option>scram_channel_binding=tls-unique</option></link>
-        and <option>scram_channel_binding=tls-server-end-point</option>.
-       </para>
-      </listitem>
-
-      <listitem>
-<!--
 2017-09-12 [83aaac41c] Allow custom search filters to be configured for LDAP au
 -->

@ -2646,6 +2616,35 @@ same commits as above

      <listitem>
 <!--
+2017-11-18 [9288d62bb] Support channel binding 'tls-unique' in SCRAM
+2017-12-19 [4bbf110d2] Add libpq connection parameter "scram_channel_binding"
+2018-01-04 [d3fb72ea6] Implement channel binding tls-server-end-point for SCRAM
+-->
+
+       <para>
+        Add ability to use channel binding when using <link
+        linkend="auth-password"><acronym>SCRAM</acronym></link>
+        authentication (Michael Paquier)
+       </para>
+
+       <para>
+        While <acronym>SCRAM</acronym> always prevents the
+        replay of transmitted hashed passwords in a later session,
+        <acronym>SCRAM</acronym> with channel binding can also prevent
+        man-in-the-middle attacks.  However, since there is no way
+        to <emphasis>force</emphasis> channel binding in libpq,
+        the feature currently does not prevent man-in-the-middle
+        attacks when using libpq and interfaces built using it.  It is
+        expected that future versions of libpq and interfaces not built
+        using libpq, e.g. JDBC, will allow this capability.  The libpq
+        options to control the optional channel binding type are <link
+        linkend="libpq-scram-channel-binding"><option>scram_channel_binding=tls-unique</option></link>
+        and <option>scram_channel_binding=tls-server-end-point</option>.
+       </para>
+      </listitem>
+
+      <listitem>
+<!--
 2018-03-03 [a351679c8] Trivial adjustments in preparation for bootstrap data co
 2018-04-08 [372728b0d] Replace our traditional initial-catalog-data format with
 2018-04-26 [a0854f107] Avoid parsing catalog data twice during BKI file constru