On Thu, Nov 20, 2025 at 1:52 PM Heikki Linnakangas <[email protected]> wrote: > PostgreSQL does support channel binding, with tls-server-end-point. I > believe that sufficient to prevent an attack like that.
No, IIRC unique bindings (-unique and -exporter) prevent MITM even if the attacker has the server's private key, as long as they do not also possess the SCRAM verifiers. tls-server-end-point does not prevent against that (so you can terminate TLS on a different node from the verifiers). --Jacob
