pgjdbc/pgjdbc GitHub issues and pull requests (mirror)
help / color / mirror / Atom feed[pgjdbc/pgjdbc] issue #3756: Invalid SCRAM client initialization in FIPS mode
5+ messages / 2 participants
[nested] [flat]
* [pgjdbc/pgjdbc] issue #3756: Invalid SCRAM client initialization in FIPS mode
@ 2025-08-10 07:48 "bwillnus (@bwillnus)" <[email protected]>
0 siblings, 0 replies; 5+ messages in thread
From: bwillnus (@bwillnus) @ 2025-08-10 07:48 UTC (permalink / raw)
To: pgjdbc/pgjdbc <[email protected]>
**Describe the issue**
When trying to connect from JBoss EAP 7.4.9 I see the following error:
Invalid SCRAM client initialization
The same setup works with version 42.7.3.
It also works with 42.7.7 and FIPS mode disabled.
**Driver Version?**
42.7.7
**Java Version?**
OpenJDK Runtime Environment (build 1.8.0_422-b05)
**OS Version?**
AlmaLinux release 8.9 (Midnight Oncilla)
FIPS enabled
**PostgreSQL Version?**
17.5
ssl = off
**To Reproduce**
Steps to reproduce the behaviour:
- Enable FIPS mode and reboot: fips-mode-setup --enable
- Configure JBoss EAP to use a Datasource with the latest driver
**Logs**
`Connecting with URL: jdbc:postgresql://xxx.xxx.xxx:5432/xyz?
adaptiveFetch=false&adaptiveFetchMaximum=-1
&adaptiveFetchMinimum=0&allowEncodingChanges=false
&autosave=never&binaryTransfer=true&binaryTransferDisable=
&binaryTransferEnable=&cancelSignalTimeout=10
&channelBinding=prefer&cleanupSavepoints=false
&connectTimeout=10&databaseMetadataCacheFields=65536
&databaseMetadataCacheFieldsMiB=5
&defaultRowFetchSize=0&disableColumnSanitiser=false
&escapeSyntaxCallMode=select&groupStartupParameters=false
&gssEncMode=allow
&gsslib=auto&gssResponseTimeout=5000&gssUseDefaultCreds=false
&hideUnprivilegedObjects=false
&hostRecheckSeconds=10&jaasApplicationName=pgjdbc
&jaasLogin=true&loadBalanceHosts=false
&loginTimeout=0&logServerErrorDetail=true
&logUnclosedConnections=false&maxSendBufferSize=8192
&preferQueryMode=extended&preparedStatementCacheQueries=128
&preparedStatementCacheSizeMiB=5
&prepareThreshold=5&protocolVersion=3"eReturningIdentifiers=true
&readOnly=false
&readOnlyMode=transaction&receiveBufferSize=-1
&reWriteBatchedInserts=false&sendBufferSize=-1
&socketTimeout=0&sslfactory=org.postgresql.ssl.LibPQFactory
&sslNegotiation=postgres
&sslResponseTimeout=5000&sspiServiceClass=POSTGRES
&targetServerType=master&tcpKeepAlive=false
&tcpNoDelay=true&unknownLength=2147483647
&useSpnego=false&xmlFactoryFactory=
PostgreSQL JDBC Driver 42.7.7
setDefaultFetchSize = 0
setPrepareThreshold = 5
Trying to establish a protocol version 3 connection to xxxx.xxx.xxx.xxx:5432
Receive Buffer Size is 183,680
Send Buffer Size is 43,520
FE=> SSLRequest postgres
<=BE SSLRefused
FE=> StartupPacket(user=xxxxxxx, database=xxxxxxxxx, client_encoding=UTF8, DateStyle=ISO, TimeZone=Europe/Berlin)
channelBinding( PREFER )
<=BE AuthenticationSASL( [SCRAM-SHA-256] )
Connection error: : org.postgresql.util.PSQLException: Invalid SCRAM client initialization
at org.postgresql.core.v3.ScramAuthenticator.initializeScramClient(ScramAuthenticator.java:67)
at org.postgresql.core.v3.ScramAuthenticator.<init>(ScramAuthenticator.java:45)`
^ permalink raw reply [nested|flat] 5+ messages in thread
* Re: [pgjdbc/pgjdbc] issue #3756: Invalid SCRAM client initialization in FIPS mode
@ 2025-08-10 08:10 ` "bwillnus (@bwillnus)" <[email protected]>
3 siblings, 0 replies; 5+ messages in thread
From: bwillnus (@bwillnus) @ 2025-08-10 08:10 UTC (permalink / raw)
To: pgjdbc/pgjdbc <[email protected]>
Also used the provided basic Java code "TestNullsFirst" to reproduce the issues. Still the same error, so it has nothing to do with JBoss EAP.
Tested with OpenJDK 17 and 21: It works!
So it must have something to do with OpenJDK 1.8.0_422 and FIPS
^ permalink raw reply [nested|flat] 5+ messages in thread
* Re: [pgjdbc/pgjdbc] issue #3756: Invalid SCRAM client initialization in FIPS mode
@ 2025-08-10 10:38 ` "davecramer (@davecramer)" <[email protected]>
3 siblings, 0 replies; 5+ messages in thread
From: davecramer (@davecramer) @ 2025-08-10 10:38 UTC (permalink / raw)
To: pgjdbc/pgjdbc <[email protected]>
why do you have
`ssl = off`
^ permalink raw reply [nested|flat] 5+ messages in thread
* Re: [pgjdbc/pgjdbc] issue #3756: Invalid SCRAM client initialization in FIPS mode
@ 2025-08-10 11:30 ` "bwillnus (@bwillnus)" <[email protected]>
3 siblings, 0 replies; 5+ messages in thread
From: bwillnus (@bwillnus) @ 2025-08-10 11:30 UTC (permalink / raw)
To: pgjdbc/pgjdbc <[email protected]>
- It's just an environment for testing, no confidential data to protect there
- ssl = off is the default setting of PostgreSQL, so why should it be mandatory for JDBC?
^ permalink raw reply [nested|flat] 5+ messages in thread
* Re: [pgjdbc/pgjdbc] issue #3756: Invalid SCRAM client initialization in FIPS mode
@ 2025-08-10 12:04 ` "davecramer (@davecramer)" <[email protected]>
3 siblings, 0 replies; 5+ messages in thread
From: davecramer (@davecramer) @ 2025-08-10 12:04 UTC (permalink / raw)
To: pgjdbc/pgjdbc <[email protected]>
It will be required for scram
^ permalink raw reply [nested|flat] 5+ messages in thread
end of thread, other threads:[~2025-08-10 12:04 UTC | newest]
Thread overview: 5+ messages (download: mbox mbox.gz follow: Atom feed)
-- links below jump to the message on this page --
2025-08-10 07:48 [pgjdbc/pgjdbc] issue #3756: Invalid SCRAM client initialization in FIPS mode "bwillnus (@bwillnus)" <[email protected]>
2025-08-10 08:10 ` "bwillnus (@bwillnus)" <[email protected]>
2025-08-10 10:38 ` "davecramer (@davecramer)" <[email protected]>
2025-08-10 11:30 ` "bwillnus (@bwillnus)" <[email protected]>
2025-08-10 12:04 ` "davecramer (@davecramer)" <[email protected]>
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox