pgjdbc/pgjdbc GitHub issues and pull requests (mirror)
help / color / mirror / Atom feedFrom: sehrope (@sehrope) <[email protected]>
To: pgjdbc/pgjdbc <[email protected]>
Subject: Re: [pgjdbc/pgjdbc] PR #3664: fix: allow sslMode=verify-full connections with any authentication type even with channelBinding=require
Date: Sat, 14 Jun 2025 11:31:00 +0000
Message-ID: <[email protected]> (raw)
In-Reply-To: <[email protected]>
References: <[email protected]>
I don't think this is a good idea. I agree the previous fix breaks channel_binding=require with verify-full / md5-auth. But that's because the broken part of that was not ensuring that we are using SASL (rather than md5 auth). Channel binding mandates using SASL which does more than just verifying the TLS certificate. It ensures that the server knows the clients password by completing the SASL handshake.
In the extreme case, you could have sslmode=verify-full + plaintext auth. With a compromised network and CA chain, that would expose you to giving out the plaintext password to a rogue server. With channel binding mandating SASL, the server itself with your password hash would have to be compromised.
We should confirm and match the behavior of libpq. I'm pretty sure it rejects connections if you request channel binding with a non-SASL auth scheme.
view thread (4+ messages) latest in thread
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: github://pgjdbc/pgjdbc
Cc: [email protected], [email protected]
Subject: Re: [pgjdbc/pgjdbc] PR #3664: fix: allow sslMode=verify-full connections with any authentication type even with channelBinding=require
In-Reply-To: <<[email protected]>>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox