Re: SCRAM with channel binding downgrade attack

On Wed, May 23, 2018 at 11:15:28AM +0200, Magnus Hagander wrote:
> On Wed, May 23, 2018 at 11:08 AM, Heikki Linnakangas <hlinnaka@iki.fi> wrote:
>     SCRAM, even without channel binding, does prove that you're talking to the
>     correct server. Or to be precise, it proves to the client, that the server
>     also knows the password, so assuming that you're using strong passwords and
>     not sharing them across servers, you know that you're talking to the
>     correct server.
> 
> Right. It provides a very different guarantee from what ssl certs provide. They
> are not replaceable, or mutually exclusive. Trying to force those into a single
> configuration parameter doesn't make a lot of sense IMO.

True.  sslmode is checking the the SSL endpoint with which you have a
shared secret has access to the private key of a server certificate that
is signed by a trusted CA, and perhaps the certificate's subject name
also matches the hostname.

With channel binding, you are proving that the SSL endpoint with which
you have a shared secret has access to the user password hash.

I can imagine someone wanting both checks so merging them into a single
options seems unwise, as Magnus mentioned.

-- 
  Bruce Momjian  <bruce@momjian.us>        http://momjian.us
  EnterpriseDB                             http://enterprisedb.com

+ As you are, so once was I.  As I am, so you will be. +
+                      Ancient Roman grave inscription +