</para>
</listitem>
- <listitem>
- <para>
- Channel binding for SCRAM authentication, to prevent potential
- man-in-the-middle attacks on database connections
- </para>
- </listitem>
-
<listitem>
<para>
Many other useful performance improvements, including making
<listitem>
<!--
-2017-11-18 [9288d62bb] Support channel binding 'tls-unique' in SCRAM
-2017-12-19 [4bbf110d2] Add libpq connection parameter "scram_channel_binding"
-2018-01-04 [d3fb72ea6] Implement channel binding tls-server-end-point for SCRAM
--->
-
- <para>
- Add libpq option to support channel binding when using <link
- linkend="auth-password"><acronym>SCRAM</acronym></link>
- authentication (Michael Paquier)
- </para>
-
- <para>
- While <acronym>SCRAM</acronym> always prevents the
- replay of transmitted hashed passwords in a later
- session, <acronym>SCRAM</acronym> with channel binding
- also prevents man-in-the-middle attacks. The options are <link
- linkend="libpq-scram-channel-binding"><option>scram_channel_binding=tls-unique</option></link>
- and <option>scram_channel_binding=tls-server-end-point</option>.
- </para>
- </listitem>
-
- <listitem>
-<!--
2017-09-12 [83aaac41c] Allow custom search filters to be configured for LDAP au
-->
<listitem>
<!--
+2017-11-18 [9288d62bb] Support channel binding 'tls-unique' in SCRAM
+2017-12-19 [4bbf110d2] Add libpq connection parameter "scram_channel_binding"
+2018-01-04 [d3fb72ea6] Implement channel binding tls-server-end-point for SCRAM
+-->
+
+ <para>
+ Add ability to use channel binding when using <link
+ linkend="auth-password"><acronym>SCRAM</acronym></link>
+ authentication (Michael Paquier)
+ </para>
+
+ <para>
+ While <acronym>SCRAM</acronym> always prevents the
+ replay of transmitted hashed passwords in a later session,
+ <acronym>SCRAM</acronym> with channel binding can also prevent
+ man-in-the-middle attacks. However, since there is no way
+ to <emphasis>force</emphasis> channel binding in libpq,
+ the feature currently does not prevent man-in-the-middle
+ attacks when using libpq and interfaces built using it. It is
+ expected that future versions of libpq and interfaces not built
+ using libpq, e.g. JDBC, will allow this capability. The libpq
+ options to control the optional channel binding type are <link
+ linkend="libpq-scram-channel-binding"><option>scram_channel_binding=tls-unique</option></link>
+ and <option>scram_channel_binding=tls-server-end-point</option>.
+ </para>
+ </listitem>
+
+ <listitem>
+<!--
2018-03-03 [a351679c8] Trivial adjustments in preparation for bootstrap data co
2018-04-08 [372728b0d] Replace our traditional initial-catalog-data format with
2018-04-26 [a0854f107] Avoid parsing catalog data twice during BKI file constru