pgwire icon indicating copy to clipboard operation
pgwire copied to clipboard
verified publisher icon sunng87

RFC 9266: Channel Bindings for TLS 1.3 support

Open Neustradamus opened this issue 2 years ago • 4 comments

Can you add the support of RFC 9266: Channel Bindings for TLS 1.3?

  • https://datatracker.ietf.org/doc/html/rfc9266

Little details, to know easily:

  • tls-unique for TLS =< 1.2
  • tls-server-end-point
  • tls-exporter for TLS = 1.3

I think that you have seen the jabber.ru MITM and Channel Binding is the solution:

  • https://notes.valdikss.org.ru/jabber.ru-mitm/
  • https://snikket.org/blog/on-the-jabber-ru-mitm/
  • https://www.devever.net/~hl/xmpp-incident
  • https://blog.jmp.chat/b/certwatch

Thanks in advance.

Linked to:

  • https://github.com/scram-sasl/info/issues/1
  • https://github.com/sunng87/pgwire/pull/26
  • https://github.com/sunng87/pgwire/issues/27
  • https://github.com/sunng87/pgwire/pull/31

Neustradamus avatar Nov 17 '23 02:11 Neustradamus

@Neustradamus Thank you for the information. Do you know if this is supported in original postgresql? How about its support on client side?

I will leave this open for someone to pick up, or when I get time for myself

sunng87 avatar Nov 17 '23 22:11 sunng87

@sunng87: After my original request here:

  • https://www.postgresql.org/message-id/PA4PR01MB992243D329F60932DE56BAAFCB969@PA4PR01MB9922.eurprd01.prod.exchangelabs.com

@michaelpq has done: https://www.postgresql.org/message-id/YwxWWQR6uwWHBCbQ%40paquier.xyz

But currently, I do not see tls-exporter in main code: https://github.com/postgres/postgres

  • https://github.com/search?q=org%3Apostgres+tls-exporter&type=code
  • https://github.com/search?q=org%3Apostgres+tls-server-end-point&type=code
  • https://github.com/search?q=org%3Apostgres+tls-unique&type=code

Neustradamus avatar Nov 18 '23 00:11 Neustradamus

@michaelpq has done: https://www.postgresql.org/message-id/YwxWWQR6uwWHBCbQ%40paquier.xyz

But currently, I do not see tls-exporter in main code: https://github.com/postgres/postgres

There is currently no active patch to add tls-exporter to PostgreSQL. The last thread about this matter was stuck on the point about channel binding negotiation between the client and the backend, and I recall that the RFCs don't tell much about that except "you can do as you wish".

michaelpq avatar Nov 18 '23 02:11 michaelpq

Got it. I will be waiting for a wider adoption of this feature to ensure typical postgres clients will work for pgwire.

sunng87 avatar Nov 18 '23 18:11 sunng87