Skip to content

Commit 609d0f1

Browse files
committed
config: add sslmode verify-ca and verify-full
When a connection is established, the added modes are treated in the same way as the existing `require` mode as they both require a TLS connection. It's the responsibility of the user to configure the TLS stream to match the semantics of Postgres client (e.g. enable peer cert verification).
1 parent 3073435 commit 609d0f1

File tree

3 files changed

+18
-7
lines changed

3 files changed

+18
-7
lines changed

postgres/src/config.rs

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -34,7 +34,9 @@ use tokio_postgres::{Error, Socket};
3434
/// * `options` - Command line options used to configure the server.
3535
/// * `application_name` - Sets the `application_name` parameter on the server.
3636
/// * `sslmode` - Controls usage of TLS. If set to `disable`, TLS will not be used. If set to `prefer`, TLS will be used
37-
/// if available, but not used otherwise. If set to `require`, TLS will be forced to be used. Defaults to `prefer`.
37+
/// if available, but not used otherwise. If set to `require`, `verify-ca`, or `verify-full`, TLS will be forced to
38+
/// be used. Defaults to `prefer`. Note that for modes `verify-ca` and `verify-full`, it's up to the user to configure
39+
/// the SSL stream to respect the desired configuration (e.g. verification of certs, hostname verification).
3840
/// * `host` - The host to connect to. On Unix platforms, if the host starts with a `/` character it is treated as the
3941
/// path to the directory containing Unix domain sockets. Otherwise, it is treated as a hostname. Multiple hosts
4042
/// can be specified, separated by commas. Each host will be tried in turn when connecting. Required if connecting

tokio-postgres/src/config.rs

Lines changed: 9 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -42,6 +42,10 @@ pub enum SslMode {
4242
Prefer,
4343
/// Require the use of TLS.
4444
Require,
45+
/// Require the use of TLS. Verify peer cert without hostname verification.
46+
VerifyCa,
47+
/// Require the use of TLS. Verify peer cert and hostname.
48+
VerifyFull,
4549
}
4650

4751
/// Channel binding configuration.
@@ -85,7 +89,9 @@ pub enum Host {
8589
/// * `options` - Command line options used to configure the server.
8690
/// * `application_name` - Sets the `application_name` parameter on the server.
8791
/// * `sslmode` - Controls usage of TLS. If set to `disable`, TLS will not be used. If set to `prefer`, TLS will be used
88-
/// if available, but not used otherwise. If set to `require`, TLS will be forced to be used. Defaults to `prefer`.
92+
/// if available, but not used otherwise. If set to `require`, `verify-ca`, or `verify-full`, TLS will be forced to
93+
/// be used. Defaults to `prefer`. Note that for modes `verify-ca` and `verify-full`, it's up to the user to configure
94+
/// the SSL stream to respect the desired configuration (e.g. verification of certs, hostname verification).
8995
/// * `host` - The host to connect to. On Unix platforms, if the host starts with a `/` character it is treated as the
9096
/// path to the directory containing Unix domain sockets. Otherwise, it is treated as a hostname. Multiple hosts
9197
/// can be specified, separated by commas. Each host will be tried in turn when connecting. Required if connecting
@@ -409,6 +415,8 @@ impl Config {
409415
"disable" => SslMode::Disable,
410416
"prefer" => SslMode::Prefer,
411417
"require" => SslMode::Require,
418+
"verify-ca" => SslMode::VerifyCa,
419+
"verify-full" => SslMode::VerifyFull,
412420
_ => return Err(Error::config_parse(Box::new(InvalidValue("sslmode")))),
413421
};
414422
self.ssl_mode(mode);

tokio-postgres/src/connect_tls.rs

Lines changed: 6 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -21,7 +21,7 @@ where
2121
SslMode::Prefer if !tls.can_connect(ForcePrivateApi) => {
2222
return Ok(MaybeTlsStream::Raw(stream))
2323
}
24-
SslMode::Prefer | SslMode::Require => {}
24+
SslMode::Prefer | SslMode::Require | SslMode::VerifyCa | SslMode::VerifyFull => {}
2525
}
2626

2727
let mut buf = BytesMut::new();
@@ -32,10 +32,11 @@ where
3232
stream.read_exact(&mut buf).await.map_err(Error::io)?;
3333

3434
if buf[0] != b'S' {
35-
if SslMode::Require == mode {
36-
return Err(Error::tls("server does not support TLS".into()));
37-
} else {
38-
return Ok(MaybeTlsStream::Raw(stream));
35+
match mode {
36+
SslMode::Disable | SslMode::Prefer => return Ok(MaybeTlsStream::Raw(stream)),
37+
SslMode::Require | SslMode::VerifyCa | SslMode::VerifyFull => {
38+
return Err(Error::tls("server does not support TLS".into()))
39+
}
3940
}
4041
}
4142

0 commit comments

Comments
 (0)