Skip to content

Add SCRAM-SHA-256-PLUS support #1008

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
jawj wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Add SCRAM-SHA-256-PLUS support #1008

jawj wants to merge 1 commit into from

Conversation

@jawj
Copy link

@jawj jawj commented Jan 11, 2025

Hello. I hope you'll consider this patch, which adds support for SCRAM-SHA-256-PLUS authentication.

SCRAM-SHA-256-PLUS in Postgres enables tls-server-end-point channel binding, where the client sends the server a hash of the certificate it received as part of the TLS handshake. This prevents some kinds of MITM attacks where the attacker obtains a certificate that appears valid for the server, but is not actually the server's.

So far I've tested it working against Neon (who support SCRAM-SHA-256-PLUS) and Supabase (who don't).

Feel free to make any changes you think appropriate.
@jawj
Copy link
Author

jawj commented Jan 12, 2025

I realise this will probably need some extra work for Cloudflare on the hash/digest method.
@porsager porsager force-pushed the master branch 2 times, most recently from 4fd011e to a92f470 Compare May 20, 2025 23:40
@porsager porsager force-pushed the master branch 2 times, most recently from 4a0fe34 to 3a43815 Compare November 12, 2025 04:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

1 participant

@jawj