Message-ID: <gh-pgjdbc-pgjdbc-3664@github.com>
From: "vlsi (@vlsi)" <noreply+vlsi@github.com>
To: "pgjdbc/pgjdbc" <noreply+pgjdbc-pgjdbc@github.com>
Date: Sat, 14 Jun 2025 10:25:29 +0000
Subject: [pgjdbc/pgjdbc] PR #3664: fix: allow sslMode=verify-full connections with any authentication type even with channelBinding=require
List-Id: <gh-pgjdbc-pgjdbc.github.com>
X-GitHub-Author-Id: 213894
X-GitHub-Author-Login: vlsi
X-GitHub-Issue: 3664
X-GitHub-Labels: security
X-GitHub-Repo: pgjdbc/pgjdbc
X-GitHub-State: closed
X-GitHub-Type: pull_request
X-GitHub-Url: https://github.com/pgjdbc/pgjdbc/pull/3664
Content-Type: text/plain; charset=utf-8

Previously, `channelBinding=require` required scram authentication, and it effectively prevented certificate-based authentication.

The change aligns `channelBinding=require` behaviour to ensure it "prevents MITM"

Then MITM prevention could be:
a) `channelBinding=require` + `sslMode=verify-full` + any auth
  This would require clients to configure server's certificate at the client.
b) `channelBinding=require` + `sslMode=require` + SCRAM auth
  This would be easier to configure (no need to configure server's certificate at the client)
    at a cost of reconfiguring the user to use SCRAM auth.

Follow-up to 9217ed16cb2918ab1b6b9258ae97e6ede244d8a0