From 26e9f4d61c078a720545c31b606b481cf022ce8c Mon Sep 17 00:00:00 2001
From: Jorge Solorzano <jorsol@gmail.com>
Date: Thu, 4 Jun 2026 18:17:29 +0200
Subject: [PATCH] fix(deps): bump scram-client to 3.3

Signed-off-by: Jorge Solorzano <jorsol@gmail.com>
---
 vertx-pg-client/pom.xml                                    | 2 +-
 .../vertx/pgclient/impl/auth/scram/ScramSessionImpl.java   | 7 +++++--
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/vertx-pg-client/pom.xml b/vertx-pg-client/pom.xml
index f571805d8..3c3006b35 100644
--- a/vertx-pg-client/pom.xml
+++ b/vertx-pg-client/pom.xml
@@ -51,7 +51,7 @@
     <dependency>
       <groupId>com.ongres.scram</groupId>
       <artifactId>scram-client</artifactId>
-      <version>3.2</version>
+      <version>3.3</version>
     </dependency>
 
     <!-- Testing purposes -->
diff --git a/vertx-pg-client/src/main/java/io/vertx/pgclient/impl/auth/scram/ScramSessionImpl.java b/vertx-pg-client/src/main/java/io/vertx/pgclient/impl/auth/scram/ScramSessionImpl.java
index 66fb7e797..f276a1704 100644
--- a/vertx-pg-client/src/main/java/io/vertx/pgclient/impl/auth/scram/ScramSessionImpl.java
+++ b/vertx-pg-client/src/main/java/io/vertx/pgclient/impl/auth/scram/ScramSessionImpl.java
@@ -17,6 +17,7 @@
 
 package io.vertx.pgclient.impl.auth.scram;
 
+import com.ongres.scram.client.ChannelBindingPolicy;
 import com.ongres.scram.client.ScramClient;
 import com.ongres.scram.common.StringPreparation;
 import com.ongres.scram.common.exception.ScramInvalidServerSignatureException;
@@ -32,6 +33,7 @@
 import javax.net.ssl.SSLException;
 import javax.net.ssl.SSLSession;
 import java.nio.charset.StandardCharsets;
+import java.security.NoSuchAlgorithmException;
 import java.security.cert.Certificate;
 import java.security.cert.CertificateEncodingException;
 import java.security.cert.X509Certificate;
@@ -73,6 +75,7 @@ public ScramClientInitialMessage createInitialSaslMessage(ByteBuf in, ChannelHan
         .username(username) // ignored by the server, use startup message
         .password(password)
         .stringPreparation(StringPreparation.POSTGRESQL_PREPARATION)
+        .channelBindingPolicy(ChannelBindingPolicy.ALLOW)
         .channelBinding(TlsServerEndpoint.TLS_SERVER_END_POINT, channelBindingData)
         .build();
 
@@ -128,10 +131,10 @@ private byte[] extractChannelBindingData(ChannelHandlerContext ctx) {
             Certificate peerCert = certificates[0]; // First certificate is the peer's certificate
             if (peerCert instanceof X509Certificate) {
               X509Certificate cert = (X509Certificate) peerCert;
-              return TlsServerEndpoint.getChannelBindingData(cert);
+              return TlsServerEndpoint.getChannelBindingHash(cert);
             }
           }
-        } catch (CertificateEncodingException | SSLException e) {
+        } catch (CertificateEncodingException | SSLException | NoSuchAlgorithmException e) {
           // Cannot extract X509Certificate from SSL session
           // handle as no channel binding available
         }