Message-ID: From: "sehrope (@sehrope)" To: "pgjdbc/pgjdbc" Date: Sat, 14 Jun 2025 11:31:00 +0000 Subject: Re: [pgjdbc/pgjdbc] PR #3664: fix: allow sslMode=verify-full connections with any authentication type even with channelBinding=require In-Reply-To: References: List-Id: X-GitHub-Author-Login: sehrope X-GitHub-Comment-Id: 2972636750 X-GitHub-Comment-Type: issue_comment X-GitHub-Issue: 3664 X-GitHub-Repo: pgjdbc/pgjdbc X-GitHub-Type: comment X-GitHub-Url: https://github.com/pgjdbc/pgjdbc/pull/3664#issuecomment-2972636750 Content-Type: text/plain; charset=utf-8 I don't think this is a good idea. I agree the previous fix breaks channel_binding=require with verify-full / md5-auth. But that's because the broken part of that was not ensuring that we are using SASL (rather than md5 auth). Channel binding mandates using SASL which does more than just verifying the TLS certificate. It ensures that the server knows the clients password by completing the SASL handshake. In the extreme case, you could have sslmode=verify-full + plaintext auth. With a compromised network and CA chain, that would expose you to giving out the plaintext password to a rogue server. With channel binding mandating SASL, the server itself with your password hash would have to be compromised. We should confirm and match the behavior of libpq. I'm pretty sure it rejects connections if you request channel binding with a non-SASL auth scheme.