-
-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(pg-connection-string): get closer to libpq semantics for sslmode
#2709
base: master
Are you sure you want to change the base?
Conversation
Co-authored-by: Charmander <[email protected]>
@charmander do we have an idea when this will land / get released as part of pg9? |
Help @brianc to merge this |
@brianc / @hjr3 what's the status on this? We've a PR on Mastodon blocked by this change: mastodon/mastodon#25483 |
@ThisIsMissEm Is that PR blocked on this? It looks more like it would be made unnecessary by this. |
I'm saying "blocked" in the sense of if upstream is going to fix, that'd be preferable to a fix in our code for it |
@ThisIsMissEm On second read, it looks like the Mastodon PR is necessary either way. Unless you were planning on deleting all of that code if this were merged and released soon enough? |
This PR introduces breaking changes. We should probably:
|
@hjr3 that sounds good to me! |
Just wanted to follow up and see if there's any plans for forwards progress on this? |
Over on Mastodon, @ThisIsMissEm asked if I might know some Node.js TLS/SSL people who might be able to review this. I hope I'm not pinging too widely, but I'm certainly interested in trying to unblock things for the Mastodon project so....hey, can anyone review? @indutny @jasnell @joyeecheung @tniessen @pimterry @panva @mertcanaltin |
I’m not really up to speed on the Mastodon context here, but some information, if it helps:
|
@charmander |
break | ||
} | ||
case 'verify-ca': { | ||
config.ssl.checkServerIdentity = function () {} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
On second thought, even though libpq has and has documented this same problem, maybe we should enforce that config.ssl.ca
is truthy here.
config.ssl.checkServerIdentity = function () {} | |
if (!config.ssl.ca) { | |
throw new Error('sslmode=verify-ca requires specifying a CA with sslrootcert') | |
} | |
config.ssl.checkServerIdentity = function () {} |
The main issue with this would be for anyone who wants to add a ca
key to the returned config.ssl
after parsing. I don’t think a warning is the way to go (too easy for those who need it to miss or ignore, and annoying for those who don’t need it to suppress). Would adding a whole options parameter to support this (parse(str, {deferSslCa: true})
– probably a better name option) be too much? (Related issue, merging configuration with a connection string is hard in general: #3327)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Alternatively, the check could go in pg, e.g. by pg-connection-string exporting const NO_VERIFY = () => {}
and pg throwing if config.ssl.checkServerIdentity === NO_VERIFY && !config.ssl.ca
.
@ThisIsMissEm In the end it’s up to @brianc, but I’m against supporting Looking back at more of the context and questions, e.g.
(Re: managed database providers: It looks like DigitalOcean, the managed database provider in mastodon/mastodon#11445, is giving bad advice by encouraging people to connect with |
I suggested a path forward here: #2709 (comment) It is not clear to me why we would need to wait until pg 9 to release pg-connection-string v3.0 |
@hjr3 As I mentioned in the same comment:
i.e. we don’t need to wait, but the new major version of pg-connection-string won’t be the default dependency in pg (that it uses to parse |
I somehow missed that. My apologies. I understand and agree with what you are saying. I do think it is fairly common for teams to use newer versions of pg-connection-string with pg. |
Summary
We have found that the handling of the
sslmode
connection string parameter is inconsistent with other PG libraries and with the reference libpq documentation. This PR proposes some changes tosslmode
behavior that are more aligned with libpq.Detailed
sslmode
behaviorHere is the list of all
sslmode
values and their expected behavior with this PR:sslmode=verify-full
Require an SSL connection and verify the CA and server identity.
No changes in this PR.
sslmode=verify-ca
(changed)Require an SSL connection and verify the CA, but not the server identity. This is achieved by setting
ssl.checkServerIdentity
to a no-op function (see docs). Previously, this mode behaved likeverify-full
but that was not consistent with the libpq implementation.sslmode=require
(changed)If a root CA is provided via the
sslrootcert
parameter of the connection string, it behaves likeverify-ca
. Otherwise, require an SSL connection but do not verify CA and server identity (ssl.rejectUnauthorized
is set tofalse
).Previously, this mode behaved like
verify-full
but that was not consistent with the libpq implementation.sslmode=no-verify
Require an SSL connection but do not verify CA and server identity (
ssl.rejectUnauthorized
is set tofalse
).No changes in this PR. Note: this mode is not documented in libpq and does not appear to be broadly supported in other libraries, but has been kept as-is for the sake of backwards-compatibility. One option could be to mark it as deprecated since
sslmode=require
could be an alternative, but doing so might have little value for this project.sslmode=prefer
(changed)Require an SSL connection but do not verify CA and server identity (
ssl.rejectUnauthorized
is set tofalse
). Previously, this mode behaved likeverify-full
but that was not consistent with the libpq implementation.In reality, this mode should be even less strict and support a fallback logic from SSL to non-SSL connection if SSL is not accepted by the server. Implementing a fallback logic seems to be more complex to solve and I did not dare touch this, but this could eventually be addressed if users of this library deem this mode valuable.
sslmode=allow
Not supported by this library.
No changes in this PR. For this mode also, there could be an opportunity to implement a fallback logic from non-SSL to SSL, but I did not dare touch this and I don't have data that suggests that this might be valuable for this project.
sslmode=disable
Only try a non-SSL connection.
No changes in this PR
An important note is that this PR potentially introduces semver breaking changes, in particular because it relaxes the security constraints of some
sslmode
values:sslmode=prefer
is less strict, users should switch tosslmode=verify-full
to keep parity.sslmode=require
is less strict, users should switch tosslmode=verify-full
to keep parity.sslmode=verify-ca
is less strict, users should switch tosslmode=verify-full
to keep parity.Prior discussions about
sslmode
I believe this PR addresses concerns raised in these two GH issues in the past:
#2281
#2009
In particular, there has been one case where the
sslmode=verify-ca
is currently too strict when connecting through AWS RDS Proxy, but the work-around of usingsslmode=no-verify
would disable CA verification completely.Other languages/libraries and their support for
sslmode
Just as a reference, these two libraries are also trying to be more or less consistent with libpq:
disable
,require
,verify-ca
andverify-full
only.Thanks for considering this change and please let me know how I can polish this further for acceptance 🙏