Add more SSL options to Config #768
Comments
|
How would those options actually be consumed? |
|
@sfackler Thanks for asking! The The goal would be to mimic let mut builder = SslConnector::builder(SslMethod::tls_client())?;
// Currently supported sslmodes (disable, prefer, require) don't verify peer certificates
builder.set_verify(SslVerifyMode::NONE);
Ok(MakeTlsConnector::new(builder.build()))If we had the additional modes What do you think? |
|
But there is no interface to pass that configuration down to the TLS implementation currently. |
|
I was trying to implement same ssl options as available in psql, e.g. Ideally rust-postgres would handle TLS internally - via rustls by default, or for backward compatibility -- via openssl (feature flags), but at the moment the structure of the lib seems to delegate all TLS configuration to the user, which creates multiple fairly complex and sometimes buggy implementations. |
|
I did another, much simpler take on solving this in #988, hopefully this is more palatable to everyone, while it will unblock all those who want to use this functionality. |
This is a partial fix for #496 * BREAKING: Now Martin behaves the same way as `psql` -- by default, if SSL is available on the server, it will be used, even though it will not verify that the server has a valid SSL certificate * Martin now understands `PGSSLCERT`, `PGSSLKEY`, and `PGSSLROOTCERT` env vars (and corresponding config keys) - same as psql. * Martin can now process `?sslmode=verify-ca` and `verify-full` (just like psql). The verify modes require root and/or client cert & key. * remove `danger_accept_invalid_certs` -- turns out that behavior is expected by default unless ssl mode is set to verify - which upstream lib [does not support](sfackler/rust-postgres#768) - PR [submitted](sfackler/rust-postgres#988). * added connection_timeout_ms option for postgres and set it to 5 seconds by default. This way it will fail out earlier. * added error reporting to bb8 - but it is currently [broken upstream](djc/bb8#151) - not sure we can fix it easily, so may need to switch to deadpool later. * added docker-based TLS test (horray!) - wasn't trivial at all, despite ending up fairly simple.
|
If we wish to do it the same way as libpq and other libraries do - well I think we do - then in my opinion we should change pub trait MakeTlsConnect<S> {
type Stream: TlsStream + Unpin;
type TlsConnect: TlsConnect<S, Stream = Self::Stream>;
type Error: Into<Box<dyn Error + Sync + Send>>;
// Required method
fn make_tls_connect(
&mut self,
cfg &tokio_postgres::Config,
domain: &str
) -> Result<Self::TlsConnect, Self::Error>;
}libpq connection strings specify whether TLS is desired/required, where CA lies, what client certificate to use, etc. So we can't really build a connector without the config/connection string. This would be a breaking change, but I don't see a way to do this without changing the trait. If this change looks OK, I can try to make a PR. |
I was wondering whether you would be open to extending
Configas follows:VerifyCaandVerifyFulltoSslModeAdd optionssslcert,sslkey,sslrootcertFor context: We allow users to specify a connection string that we then pass directly to the client and we would like it to behave in a similar way as
psql. We currently have to provide the above options "out-of-band".I would understand if this is rejected since it does not affect the client directly, but only how to configure TLS support (which is the responsibility of the client user and not the client in the current design).
If you don't have any concerns with this, feel free to assign it to me.
cc @sfackler
The text was updated successfully, but these errors were encountered: