[pgjdbc/pgjdbc] PR #3664: fix: allow sslMode=verify-full connections with any authentication type even with channelBinding=require

pgjdbc/pgjdbc GitHub issues and pull requests (mirror)  
help / color / mirror / Atom feed

From: vlsi (@vlsi) <[email protected]>
To: pgjdbc/pgjdbc <[email protected]>
Subject: [pgjdbc/pgjdbc] PR #3664: fix: allow sslMode=verify-full connections with any authentication type even with channelBinding=require
Date: Sat, 14 Jun 2025 10:25:29 +0000
Message-ID: <[email protected]> (raw)

Previously, `channelBinding=require` required scram authentication, and it effectively prevented certificate-based authentication.

The change aligns `channelBinding=require` behaviour to ensure it "prevents MITM"

Then MITM prevention could be:
a) `channelBinding=require` + `sslMode=verify-full` + any auth
  This would require clients to configure server's certificate at the client.
b) `channelBinding=require` + `sslMode=require` + SCRAM auth
  This would be easier to configure (no need to configure server's certificate at the client)
    at a cost of reconfiguring the user to use SCRAM auth.

Follow-up to 9217ed16cb2918ab1b6b9258ae97e6ede244d8a0

view thread (4+ messages)  latest in thread

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: github://pgjdbc/pgjdbc
  Cc: [email protected], [email protected]
  Subject: Re: [pgjdbc/pgjdbc] PR #3664: fix: allow sslMode=verify-full connections with any authentication type even with channelBinding=require
  In-Reply-To: <<[email protected]>>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox