|--- gitweb/email subject limit -----------------|-------------|
authorBruce Momjian <bruce@momjian.us>
Tue, 26 Jun 2018 18:31:57 +0000 (14:31 -0400)
committerBruce Momjian <bruce@momjian.us>
Tue, 26 Jun 2018 18:31:57 +0000 (14:31 -0400)
doc:  PG 11 relnotes: remove channel binding from major features

Also move to the source code section, and expand the paragraph

doc/src/sgml/release-11.sgml

index 25b2ab19f288dc3c63686f67ef1c0960e417e3c5..53b600b45366f85e335e0ef898637663ea2e632b 100644 (file)
      </para>
     </listitem>
 
-    <listitem>
-     <para>
-      Channel binding for SCRAM authentication, to prevent potential
-      man-in-the-middle attacks on database connections
-     </para>
-    </listitem>
-
     <listitem>
      <para>
       Many other useful performance improvements, including making
@@ -1230,29 +1223,6 @@ same commits as above
 
       <listitem>
 <!--
-2017-11-18 [9288d62bb] Support channel binding 'tls-unique' in SCRAM
-2017-12-19 [4bbf110d2] Add libpq connection parameter "scram_channel_binding"
-2018-01-04 [d3fb72ea6] Implement channel binding tls-server-end-point for SCRAM
--->
-
-       <para>
-        Add libpq option to support channel binding when using <link
-        linkend="auth-password"><acronym>SCRAM</acronym></link>
-        authentication (Michael Paquier)
-       </para>
-
-       <para>
-        While <acronym>SCRAM</acronym> always prevents the
-        replay of transmitted hashed passwords in a later
-        session, <acronym>SCRAM</acronym> with channel binding
-        also prevents man-in-the-middle attacks.  The options are <link
-        linkend="libpq-scram-channel-binding"><option>scram_channel_binding=tls-unique</option></link>
-        and <option>scram_channel_binding=tls-server-end-point</option>.
-       </para>
-      </listitem>
-
-      <listitem>
-<!--
 2017-09-12 [83aaac41c] Allow custom search filters to be configured for LDAP au
 -->
 
@@ -2646,6 +2616,35 @@ same commits as above
 
       <listitem>
 <!--
+2017-11-18 [9288d62bb] Support channel binding 'tls-unique' in SCRAM
+2017-12-19 [4bbf110d2] Add libpq connection parameter "scram_channel_binding"
+2018-01-04 [d3fb72ea6] Implement channel binding tls-server-end-point for SCRAM
+-->
+
+       <para>
+        Add ability to use channel binding when using <link
+        linkend="auth-password"><acronym>SCRAM</acronym></link>
+        authentication (Michael Paquier)
+       </para>
+
+       <para>
+        While <acronym>SCRAM</acronym> always prevents the
+        replay of transmitted hashed passwords in a later session,
+        <acronym>SCRAM</acronym> with channel binding can also prevent
+        man-in-the-middle attacks.  However, since there is no way
+        to <emphasis>force</emphasis> channel binding in libpq,
+        the feature currently does not prevent man-in-the-middle
+        attacks when using libpq and interfaces built using it.  It is
+        expected that future versions of libpq and interfaces not built
+        using libpq, e.g. JDBC, will allow this capability.  The libpq
+        options to control the optional channel binding type are <link
+        linkend="libpq-scram-channel-binding"><option>scram_channel_binding=tls-unique</option></link>
+        and <option>scram_channel_binding=tls-server-end-point</option>.
+       </para>
+      </listitem>
+
+      <listitem>
+<!--
 2018-03-03 [a351679c8] Trivial adjustments in preparation for bootstrap data co
 2018-04-08 [372728b0d] Replace our traditional initial-catalog-data format with
 2018-04-26 [a0854f107] Avoid parsing catalog data twice during BKI file constru