Implement Channel Binding

[davecramer]

PostgreSQL 11 will have channel binding. We'll need to extend the TLS interface to provide access to the Finished message and the peer certificate.

[Neustradamus]

@davecramer, @ongres, @ahachete: It is supported no?

• https://github.com/ongres/scram/search?q=SCRAM-SHA-1-PLUS
• https://github.com/ongres/scram/search?q=SCRAM-SHA-256-PLUS

Linked to:

• https://github.com/ongres/scram/issues/2
• https://github.com/ongres/scram/issues/8
• https://github.com/ongres/scram/issues/9
• https://github.com/ongres/scram/issues/19
• https://gitlab.com/ongresinc/scram/-/issues/15
• https://gitlab.com/ongresinc/scram/-/issues/17
• https://gitlab.com/ongresinc/scram/-/issues/18
• https://github.com/scram-sasl/info/issues/1

[Neustradamus]

@davecramer: Ping?

[davecramer]

@Neustradamus this is more for @ahachete to implement

[Neustradamus]

It is official, it is here: RFC 9266: Channel Bindings for TLS 1.3:

• https://tools.ietf.org/html/rfc9266

[Neustradamus]

Dear @ongres team, @ahachete,

I think that you have seen the jabber.ru MITM and Channel Binding is the solution:

• https://notes.valdikss.org.ru/jabber.ru-mitm/
• https://snikket.org/blog/on-the-jabber-ru-mitm/
• https://www.devever.net/~hl/xmpp-incident
• https://blog.jmp.chat/b/certwatch

Linked to:

• https://github.com/ongres/scram/issues/2
• https://github.com/ongres/scram/issues/8
• https://github.com/ongres/scram/issues/9
• https://github.com/ongres/scram/issues/19
• https://gitlab.com/ongresinc/scram/-/issues/15
• https://gitlab.com/ongresinc/scram/-/issues/17
• https://gitlab.com/ongresinc/scram/-/issues/18
• https://github.com/scram-sasl/info/issues/1

[jorsol]

Status update:

Getting the channel-binding data from an external security layer such as that provided by TLS is out of the scope for implementation in this library, TLS channel-binding data can be fetched using a library dedicated like the Bouncy Castle Crypto APIs.

Having said that, the channel binding type used by PostgreSQL is tls-server-end-point, it could be fetched using Java's APIs without external libraries, and since this library was developed primarily to support SCRAM in PostgreSQL from Java, it could perfectly include a utility class to extract the cbind-data from the peer certificate.

This will be included in the next major release of the SCRAM library 3.0 which is being actively worked on, but there is no ETA for a final release yet.

[Neustradamus]

@jorsol: It has been solved?

[davecramer]

So what do we have to do with the JDBC driver to make this work. Just update the version ?

[jorsol]

@jorsol: It has been solved?

For the PostgreSQL JDBC Driver use, yes.

So what do we have to do with the JDBC driver to make this work. Just update the version ?

https://github.com/pgjdbc/pgjdbc/pull/3188

Right now is in draft, maven central is having sync issues and the jars are not available yet. Also need to check what the pipeline has to say and fix it.

[Neustradamus]

@jorsol: Good job about 3.0!

• https://github.com/ongres/scram/releases/tag/3.0

Important to specify in the ticket where it has been added.