Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(pg-connection-string): get closer to libpq semantics for sslmode #2709

Open
wants to merge 2 commits into
base: master
Choose a base branch
from

Conversation

pmalouin
Copy link

Summary

We have found that the handling of the sslmode connection string parameter is inconsistent with other PG libraries and with the reference libpq documentation. This PR proposes some changes to sslmode behavior that are more aligned with libpq.

Detailed sslmode behavior

Here is the list of all sslmode values and their expected behavior with this PR:

sslmode=verify-full

Require an SSL connection and verify the CA and server identity.
No changes in this PR.

sslmode=verify-ca (changed)

Require an SSL connection and verify the CA, but not the server identity. This is achieved by setting ssl.checkServerIdentity to a no-op function (see docs). Previously, this mode behaved like verify-full but that was not consistent with the libpq implementation.

sslmode=require (changed)

If a root CA is provided via the sslrootcert parameter of the connection string, it behaves like verify-ca. Otherwise, require an SSL connection but do not verify CA and server identity (ssl.rejectUnauthorized is set to false).
Previously, this mode behaved like verify-full but that was not consistent with the libpq implementation.

sslmode=no-verify

Require an SSL connection but do not verify CA and server identity (ssl.rejectUnauthorized is set to false).
No changes in this PR. Note: this mode is not documented in libpq and does not appear to be broadly supported in other libraries, but has been kept as-is for the sake of backwards-compatibility. One option could be to mark it as deprecated since sslmode=require could be an alternative, but doing so might have little value for this project.

sslmode=prefer (changed)

Require an SSL connection but do not verify CA and server identity (ssl.rejectUnauthorized is set to false). Previously, this mode behaved like verify-full but that was not consistent with the libpq implementation.
In reality, this mode should be even less strict and support a fallback logic from SSL to non-SSL connection if SSL is not accepted by the server. Implementing a fallback logic seems to be more complex to solve and I did not dare touch this, but this could eventually be addressed if users of this library deem this mode valuable.

sslmode=allow

Not supported by this library.
No changes in this PR. For this mode also, there could be an opportunity to implement a fallback logic from non-SSL to SSL, but I did not dare touch this and I don't have data that suggests that this might be valuable for this project.

sslmode=disable

Only try a non-SSL connection.
No changes in this PR

An important note is that this PR potentially introduces semver breaking changes, in particular because it relaxes the security constraints of some sslmode values:

  • sslmode=prefer is less strict, users should switch to sslmode=verify-full to keep parity.
  • sslmode=require is less strict, users should switch to sslmode=verify-full to keep parity.
  • sslmode=verify-ca is less strict, users should switch to sslmode=verify-full to keep parity.

Prior discussions about sslmode

I believe this PR addresses concerns raised in these two GH issues in the past:
#2281
#2009

In particular, there has been one case where the sslmode=verify-ca is currently too strict when connecting through AWS RDS Proxy, but the work-around of using sslmode=no-verify would disable CA verification completely.

Other languages/libraries and their support for sslmode

Just as a reference, these two libraries are also trying to be more or less consistent with libpq:


Thanks for considering this change and please let me know how I can polish this further for acceptance 🙏

packages/pg-connection-string/README.md Outdated Show resolved Hide resolved
packages/pg-connection-string/test/parse.js Outdated Show resolved Hide resolved
packages/pg-connection-string/test/parse.js Outdated Show resolved Hide resolved
@charmander charmander added this to the [email protected] milestone Feb 24, 2022
@cyx
Copy link

cyx commented Mar 24, 2022

@charmander do we have an idea when this will land / get released as part of pg9?

@ceefour
Copy link

ceefour commented Dec 28, 2022

Please merge this as it fixes #2281 and #2375

@ceefour
Copy link

ceefour commented Mar 16, 2023

Help @brianc to merge this

@ThisIsMissEm
Copy link

@brianc / @hjr3 what's the status on this? We've a PR on Mastodon blocked by this change: mastodon/mastodon#25483

@charmander
Copy link
Collaborator

@ThisIsMissEm Is that PR blocked on this? It looks more like it would be made unnecessary by this.

@ThisIsMissEm
Copy link

@ThisIsMissEm Is that PR blocked on this? It looks more like it would be made unnecessary by this.

I'm saying "blocked" in the sense of if upstream is going to fix, that'd be preferable to a fix in our code for it

@charmander
Copy link
Collaborator

@ThisIsMissEm On second read, it looks like the Mastodon PR is necessary either way. Unless you were planning on deleting all of that code if this were merged and released soon enough?

@hjr3
Copy link
Contributor

hjr3 commented Jan 23, 2024

This PR introduces breaking changes. We should probably:

@ThisIsMissEm
Copy link

This PR introduces breaking changes. We should probably:

@hjr3 that sounds good to me!

@ThisIsMissEm
Copy link

Just wanted to follow up and see if there's any plans for forwards progress on this?

@Trott
Copy link

Trott commented Nov 12, 2024

Over on Mastodon, @ThisIsMissEm asked if I might know some Node.js TLS/SSL people who might be able to review this. I hope I'm not pinging too widely, but I'm certainly interested in trying to unblock things for the Mastodon project so....hey, can anyone review? @indutny @jasnell @joyeecheung @tniessen @pimterry @panva @mertcanaltin

@charmander
Copy link
Collaborator

I’m not really up to speed on the Mastodon context here, but some information, if it helps:

  • This implementation is (AFAIK) as correct as it can be in terms of translating libpq sslmodes to pg configuration. But although it’s documented, there is one sslmode hazard in libpq we could probably improve on.

    The difference between verify-ca and verify-full depends on the policy of the root CA. If a public CA is used, verify-ca allows connections to a server that somebody else may have registered with the CA. In this case, verify-full should always be used. If a local CA is used, or even a self-signed certificate, using verify-ca often provides enough protection.

  • I’ve already approved this PR, but since it’s a breaking change it isn’t going to be a default until pg 9. There are a lot of changes that would ideally go in pg 9, and I don’t expect it to come out soon. Maybe a new major version of pg-connection-string could be released sooner, if you’d be interested in adding a dependency on a newer version of pg-connection-string and using it manually to pass pg a configuration object instead of a connection string.

  • As @ThisIsMissEm mentioned in the linked pull request, pg doesn’t support sslmode=prefer (and it doesn’t support allow either). I think prefer is a bad idea (because it adds complexity and provides a false sense of security), assume/hope it’s only the libpq default for historical reasons, and don’t expect pg to support it in the future.

@ThisIsMissEm
Copy link

@charmander sslmode=prefer is explicitly what our users have asked for because we support it on the ruby side of the project which uses the native pg implementation

break
}
case 'verify-ca': {
config.ssl.checkServerIdentity = function () {}
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

On second thought, even though libpq has and has documented this same problem, maybe we should enforce that config.ssl.ca is truthy here.

Suggested change
config.ssl.checkServerIdentity = function () {}
if (!config.ssl.ca) {
throw new Error('sslmode=verify-ca requires specifying a CA with sslrootcert')
}
config.ssl.checkServerIdentity = function () {}

The main issue with this would be for anyone who wants to add a ca key to the returned config.ssl after parsing. I don’t think a warning is the way to go (too easy for those who need it to miss or ignore, and annoying for those who don’t need it to suppress). Would adding a whole options parameter to support this (parse(str, {deferSslCa: true}) – probably a better name option) be too much? (Related issue, merging configuration with a connection string is hard in general: #3327)

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Alternatively, the check could go in pg, e.g. by pg-connection-string exporting const NO_VERIFY = () => {} and pg throwing if config.ssl.checkServerIdentity === NO_VERIFY && !config.ssl.ca.

@charmander
Copy link
Collaborator

charmander commented Nov 13, 2024

@charmander sslmode=prefer is explicitly what our users have asked for because we support it on the ruby side of the project which uses the native pg implementation

@ThisIsMissEm In the end it’s up to @brianc, but I’m against supporting sslmode=prefer in pg – it’s convenient and unsafe, which isn’t a good combo.

Looking back at more of the context and questions, e.g.

I'm wanting an expert opinion on the changes in the upstream PR before I make any further changes here, since I'm by no means an expert on TLS/SSL, and I'm cautious about introducing accidental security vulnerabilities here.

sslmode=require is implemented in this PR without adding any vulnerabilities relative to libpq, but libpq’s sslmode=require is inherently vulnerable to MITM even though it might sound like “require normal SSL” by the name – it doesn’t check certificates at all, so it only provides opportunistic encryption. Most people should be using either sslmode=verify-ca (with sslrootcert) or sslmode=verify-full. verify-full is the one that gives the basic guarantees of TLS that are defaults in places like Node’s node:tls module (+ most other platforms) and web browsers.

(Re: managed database providers: It looks like DigitalOcean, the managed database provider in mastodon/mastodon#11445, is giving bad advice by encouraging people to connect with sslmode=require over the internet, and only mentioning specifying sslrootcert as an afterthought, plus a quick link to libpq documentation. Heroku is even worse: require over the internet, require from generic code, no mention of the lack of guarantees anywhere. Google Cloud SQL is fully safe, but it does its own thing and passes pre-connected streams to pg. AWS RDS documents a secure way to do it, as well as what look like some less secure ways.)

@hjr3
Copy link
Contributor

hjr3 commented Nov 15, 2024

@charmander

I’ve already approved this PR, but since it’s a breaking change it isn’t going to be a default until pg 9.

I suggested a path forward here: #2709 (comment)

It is not clear to me why we would need to wait until pg 9 to release pg-connection-string v3.0

@charmander
Copy link
Collaborator

charmander commented Nov 15, 2024

@hjr3 As I mentioned in the same comment:

Maybe a new major version of pg-connection-string could be released sooner, if you’d be interested in adding a dependency on a newer version of pg-connection-string and using it manually to pass pg a configuration object instead of a connection string.

i.e. we don’t need to wait, but the new major version of pg-connection-string won’t be the default dependency in pg (that it uses to parse connectionString) until pg 9, so people will still need to make application-side changes.

@hjr3
Copy link
Contributor

hjr3 commented Nov 15, 2024

@hjr3 As I mentioned in the same comment:

Maybe a new major version of pg-connection-string could be released sooner, if you’d be interested in adding a dependency on a newer version of pg-connection-string and using it manually to pass pg a configuration object instead of a connection string.

i.e. we don’t need to wait, but the new major version of pg-connection-string won’t be the default dependency in pg (that it uses to parse connectionString) until pg 9, so people will still need to make application-side changes.

I somehow missed that. My apologies. I understand and agree with what you are saying.

I do think it is fairly common for teams to use newer versions of pg-connection-string with pg.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

7 participants