Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use TlsMode::Prefer instead of TlsMode:None in notification_listener #2097

Closed
joe-bowman opened this issue Dec 26, 2020 · 7 comments
Closed

Use TlsMode::Prefer instead of TlsMode:None in notification_listener #2097

joe-bowman opened this issue Dec 26, 2020 · 7 comments
Assignees
@tilacog
Labels
area/store

Comments

@joe-bowman
Copy link

In notification_listener, we create a postgresql connection with the param TlsMode::None. There is no reason to not use TlsMode::Prefer here and not force operators to run postgresql with Host over SslHost in pg_hba.conf.

graph-node/store/postgres/src/notification_listener.rs

Line 121 in 39287ae

let conn = Connection::connect(postgres_url, TlsMode::None)

Elsewhere, Diesel is used and this respects the postgres_url passed on the command line.
@joe-bowman
Copy link
Author

Sadly, this is not as easy as it seems.

The postgres v0.15.2 library support for TLS requires an old version of openssl - and upgrading runs into various issues (notably mutable borrowing of the Postgresql Client object for both Client.notifications() and a new JsonNotification object).

It'd be great to get this looked into, because disabling TLS for this feels the wrong thing to do..

@leoyvens
Copy link
Collaborator

leoyvens commented Apr 6, 2021

@joe-bowman are you still interested in this? We've since updated the postgres crate, if you want to try this again.

@qiaozhengyuan
Copy link

Would hope this change gets deployed as when I tried to run the docker image with my own postgresql service, it failed because my postgresql enforces tls.

@leoyvens leoyvens mentioned this issue Dec 3, 2021
Closed
@tilacog tilacog self-assigned this Dec 3, 2021
@wup-one
Copy link

wup-one commented Apr 2, 2022
edited
Loading

Any update here? Does the graph-node support postgres over SSL?

@JasoonS
Copy link

JasoonS commented Apr 21, 2022

Does the graph-node support postgres over SSL?

AFAIK not unfortunately. It is a big pity since most self maintained graphs would use a postgres instance that requires SSL.

@mb-shorai
Copy link
Contributor

mb-shorai commented Apr 21, 2022
edited
Loading

The postgres v0.15.2 library support for TLS requires an old version of openssl - and upgrading runs into various issues (notably mutable borrowing of the Postgresql Client object for both Client.notifications() and a new JsonNotification object).

@joe-bowman how can one reproduce the issue? As I'm experimenting with enabling TLS and I would like to check if the issue with mutable borrowing still exists.

@mb-shorai mb-shorai mentioned this issue Apr 27, 2022
Merged
@mb-shorai
Copy link
Contributor

I guess it can be closed now that #3503 is merged, although there is some room for improvements (e.g. don't turn the certificate validation off, but make it configurable).

@evaporei evaporei closed this as completed May 5, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tilacog tilacog

Labels
area/store
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@tilacog @qiaozhengyuan @joe-bowman @JasoonS @leoyvens @evaporei @mb-shorai @wup-one