pgjdbc/pgjdbc GitHub issues and pull requests (mirror)
help / color / mirror / Atom feed[pgjdbc/pgjdbc] PR #3664: fix: allow sslMode=verify-full connections with any authentication type even with channelBinding=require
4+ messages / 3 participants
[nested] [flat]
* [pgjdbc/pgjdbc] PR #3664: fix: allow sslMode=verify-full connections with any authentication type even with channelBinding=require
@ 2025-06-14 10:25 "vlsi (@vlsi)" <[email protected]>
0 siblings, 0 replies; 4+ messages in thread
From: vlsi (@vlsi) @ 2025-06-14 10:25 UTC (permalink / raw)
To: pgjdbc/pgjdbc <[email protected]>
Previously, `channelBinding=require` required scram authentication, and it effectively prevented certificate-based authentication.
The change aligns `channelBinding=require` behaviour to ensure it "prevents MITM"
Then MITM prevention could be:
a) `channelBinding=require` + `sslMode=verify-full` + any auth
This would require clients to configure server's certificate at the client.
b) `channelBinding=require` + `sslMode=require` + SCRAM auth
This would be easier to configure (no need to configure server's certificate at the client)
at a cost of reconfiguring the user to use SCRAM auth.
Follow-up to 9217ed16cb2918ab1b6b9258ae97e6ede244d8a0
^ permalink raw reply [nested|flat] 4+ messages in thread
* Re: [pgjdbc/pgjdbc] PR #3664: fix: allow sslMode=verify-full connections with any authentication type even with channelBinding=require
@ 2025-06-14 10:41 ` "davecramer (@davecramer)" <[email protected]>
2 siblings, 0 replies; 4+ messages in thread
From: davecramer (@davecramer) @ 2025-06-14 10:41 UTC (permalink / raw)
To: pgjdbc/pgjdbc <[email protected]>
makes sense. I don't think it would break anything
^ permalink raw reply [nested|flat] 4+ messages in thread
* Re: [pgjdbc/pgjdbc] PR #3664: fix: allow sslMode=verify-full connections with any authentication type even with channelBinding=require
@ 2025-06-14 11:31 ` "sehrope (@sehrope)" <[email protected]>
2 siblings, 0 replies; 4+ messages in thread
From: sehrope (@sehrope) @ 2025-06-14 11:31 UTC (permalink / raw)
To: pgjdbc/pgjdbc <[email protected]>
I don't think this is a good idea. I agree the previous fix breaks channel_binding=require with verify-full / md5-auth. But that's because the broken part of that was not ensuring that we are using SASL (rather than md5 auth). Channel binding mandates using SASL which does more than just verifying the TLS certificate. It ensures that the server knows the clients password by completing the SASL handshake.
In the extreme case, you could have sslmode=verify-full + plaintext auth. With a compromised network and CA chain, that would expose you to giving out the plaintext password to a rogue server. With channel binding mandating SASL, the server itself with your password hash would have to be compromised.
We should confirm and match the behavior of libpq. I'm pretty sure it rejects connections if you request channel binding with a non-SASL auth scheme.
^ permalink raw reply [nested|flat] 4+ messages in thread
* Re: [pgjdbc/pgjdbc] PR #3664: fix: allow sslMode=verify-full connections with any authentication type even with channelBinding=require
@ 2025-06-14 14:42 ` "vlsi (@vlsi)" <[email protected]>
2 siblings, 0 replies; 4+ messages in thread
From: vlsi (@vlsi) @ 2025-06-14 14:42 UTC (permalink / raw)
To: pgjdbc/pgjdbc <[email protected]>
Well, if someone compromises CA, you are in trouble anyway.
^ permalink raw reply [nested|flat] 4+ messages in thread
end of thread, other threads:[~2025-06-14 14:42 UTC | newest]
Thread overview: 4+ messages (download: mbox mbox.gz follow: Atom feed)
-- links below jump to the message on this page --
2025-06-14 10:25 [pgjdbc/pgjdbc] PR #3664: fix: allow sslMode=verify-full connections with any authentication type even with channelBinding=require "vlsi (@vlsi)" <[email protected]>
2025-06-14 10:41 ` "davecramer (@davecramer)" <[email protected]>
2025-06-14 11:31 ` "sehrope (@sehrope)" <[email protected]>
2025-06-14 14:42 ` "vlsi (@vlsi)" <[email protected]>
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox