Add sslmode verify-ca and verify-full (take 2)
#988
Conversation
Implement additional support for postgres ssl_mode parsing. The new modes will still result in a TLS error, but this approach allows users to handle additional cert validation modes before calling connect_tls()
This is a partial fix for #496 * BREAKING: Now Martin behaves the same way as `psql` -- by default, if SSL is available on the server, it will be used, even though it will not verify that the server has a valid SSL certificate * Martin now understands `PGSSLCERT`, `PGSSLKEY`, and `PGSSLROOTCERT` env vars (and corresponding config keys) - same as psql. * Martin can now process `?sslmode=verify-ca` and `verify-full` (just like psql). The verify modes require root and/or client cert & key. * remove `danger_accept_invalid_certs` -- turns out that behavior is expected by default unless ssl mode is set to verify - which upstream lib [does not support](sfackler/rust-postgres#768) - PR [submitted](sfackler/rust-postgres#988). * added connection_timeout_ms option for postgres and set it to 5 seconds by default. This way it will fail out earlier. * added error reporting to bb8 - but it is currently [broken upstream](djc/bb8#151) - not sure we can fix it easily, so may need to switch to deadpool later. * added docker-based TLS test (horray!) - wasn't trivial at all, despite ending up fairly simple.
|
I don't feel great about including options in a library's config that it inherently does not support. I think it would be instead preferable to have the external library have a sort of wrapper parser that adjusts the sslmode before passing the string along. |
|
I wonder if it would be possible for this crate to somehow pass the If |
|
@sfackler technically, all except the |
|
First of Thank you for this amazing crate! I ran into this issue recently and decided to chime in on the convo. FWIW this is a real blocker for implementing a more seamless TLS experience or automatic handling thereof. Even if the library itself did eventually some day handle via I would argue that adding this to the Config would be ok so long as the user is notified when something is misconfigured, which it appears that this PR does. Additionally it will facilitate the next steps of a more seamless experience and ability for custom configuration until then. |
|
I think any approach which makes this library appear to support One option would be to add a method to the fn make_tls_connect_with_mode(&mut self, domain: &str, mode: SslMode) -> Result<Self::TlsConnect, Self::Error> {
self.make_tls_connect(domain)
}Since it has a default impl, this would not break existing code using the trait (I think the possibility of name collisions can be discounted in this situation). The crates implementing TLS support (e.g. |
|
I am ok with any approach that would get us towards the more seamless SSL usage. I think it is fundamentally bad for the community adaption to have this amazing library that omits the most critical component - ability to connect to every correctly-configured PostgreSQL server. Currently, each developer must do a deep dive into SSL configurations and the error-prone TLS library setup. With so much copy/paste required, lots of implementations will have security bugs, giving bad name to the whole ecosystem. |
|
@sfackler per above, would it possible to move forward with this? I am sure we all would love to get a cleaner SSL solution for all users, and it is clearly required. This solution offers a path forward without backward compat breaking. |
|
To also add onto @nyurik’s comment no matter the path forward it seems like the config will need to be able to parse these additional values. Required is already present and not supported out of the box also and so see no harm in the other two also being present. I just had to hack the connection string in my project just to support there other two modes and ensure the Config parsing didn’t fail on them. Even if your not ready to proceed with any next steps beyond adding to the config I for one would be super grateful to not have to hack the connection string in my projects like this even if just a first step 🙏 |
|
@sfackler friendly ping. I know we are all busy with our favorite projects, but this is really blocking a lot of us, and seems to be the easiest path forward. Thanks! ❤️ |
That is not an accurate description of the library's handling of sslmode.
This seems at a high level like an reasonable approach, but I don't think it would be a good idea to have a default implementation that ignores the setting. There are also other bits of ssl config that would presumably need to be passed through like sslcert, sslkey, etc. I am also a bit concerned about opening up built in support for verify-ca. In TYOOL 2023, it is time for people to figure out how to issue certificates with a proper SAN and stick it in their postgres. Every TLS backend I'm aware of for this crate acts as if |
The current status quo does in fact have the ability, without any manual TLS configuration, to connect to any correctly-configured PostgreSQL server — you don't need to do any manual configuration of TLS libraries on the client if the server is correctly configured, since the defaults of
Can you share a little bit more detail about your use case and how this is blocking you, to help ensure that the design of any potential solution here does in fact solve your problem? |
Implement additional support for postgres ssl_mode parsing. The new modes will still result in a TLS error, but this approach allows users to handle additional cert validation modes before calling connect_tls().
Note that this approach is mostly a noop/backward compatible for all those who don't care about this because if the ssl mode is set to one of the verify modes, existing user code will continue to error-out because
connect_tls()will return an error. The only difference is that the error will happen a bit later while trying to connect, instead of failing during the config parse.Expected usage:
This fixes #768 and uses some ideas from #774