[Pkg-postgresql-public] Bug#779683: Bug#779683: postgresql: pg_hba scripts (mis)configures for MD5 authentication

Michael Samuel mik at miknet.net
Thu Mar 5 11:47:16 UTC 2015


On 5 March 2015 at 22:39, Aaron Zauner <azet at azet.org> wrote:

> Yep. I confused SRP with PSK ciphersuites here. There're no ciphersuites
> that support PKIX and SRP. Unfortunately there's also only AES-CBC
> (mac-then-encrypt) as a possible option when using SRP.
> https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml

Those ciphersuites are not ideal, but exploiting padding oracles
requires an auto-reconnecting client and doesn't buy you all that
much.

I think the direction upstream is going with SCRAM (or similar) is
fine, but either new hashes are required or using a customized code
base that uses MD5(password|username) where the password would
normally be directly input is needed.

I don't have time to write any code, but I'm happy to review schemes
and code (and probably will at some point anyway).

Regards,
  Michael



More information about the Pkg-postgresql-public mailing list