npgsql
diff --git a/‎src/Npgsql/Internal/NpgsqlConnector.Auth.cs
Copy file name to clipboardExpand all lines: src/Npgsql/Internal/NpgsqlConnector.Auth.cs
+2Lines changed: 2 additions & 0 deletions b/‎src/Npgsql/Internal/NpgsqlConnector.Auth.cs
Copy file name to clipboardExpand all lines: src/Npgsql/Internal/NpgsqlConnector.Auth.cs
+2Lines changed: 2 additions & 0 deletions
diff --git a/‎src/Npgsql/Internal/NpgsqlConnector.cs
Copy file name to clipboardExpand all lines: src/Npgsql/Internal/NpgsqlConnector.cs
+15-1Lines changed: 15 additions & 1 deletion b/‎src/Npgsql/Internal/NpgsqlConnector.cs
Copy file name to clipboardExpand all lines: src/Npgsql/Internal/NpgsqlConnector.cs
+15-1Lines changed: 15 additions & 1 deletion
@@ -202,6 +202,8 @@ internal void AuthenticateSASLSha256Plus(ref string mechanism, ref string cbindF
             return;
         }
 
+        // While SslStream.RemoteCertificate is X509Certificate2, it actually returns X509Certificate2
+        // But to be on the safe side we'll just create a new instance of it
         using var remoteCertificate = new X509Certificate2(sslStream.RemoteCertificate);
         // Checking for hashing algorithms
         HashAlgorithm? hashAlgorithm = null;
 
@@ -2209,8 +2209,9 @@ void FullCleanup()
     /// </remarks>
     void Cleanup()
     {
+        var sslStream = _stream as SslStream;
 #if !NETSTANDARD2_0
-        if (_stream is SslStream sslStream)
+        if (sslStream is not null)
         {
             try
             {
@@ -2226,6 +2227,19 @@ void Cleanup()
         }
 #endif
 
+        // After we access SslStream.RemoteCertificate (like for SASLSha256Plus)
+        // SslStream will no longer dispose it for us automatically
+        // Which is why we have to do it ourselves before disposing the stream
+        // As otherwise accessing RemoteCertificate will throw an exception
+        try
+        {
+            sslStream?.RemoteCertificate?.Dispose();
+        }
+        catch
+        {
+            // ignored
+        }
+
         try
         {
             _stream?.Dispose();
Original file line number	Diff line number	Diff line change
`@@ -202,6 +202,8 @@ internal void AuthenticateSASLSha256Plus(ref string mechanism, ref string cbindF`
`202`	`202`	`return;`
`203`	`203`	`}`
`204`	`204`
	`205`	`+ // While SslStream.RemoteCertificate is X509Certificate2, it actually returns X509Certificate2`
	`206`	`+ // But to be on the safe side we'll just create a new instance of it`
`205`	`207`	`using var remoteCertificate = new X509Certificate2(sslStream.RemoteCertificate);`
`206`	`208`	`// Checking for hashing algorithms`
`207`	`209`	`HashAlgorithm? hashAlgorithm = null;`