config: add sslmode verify-ca and verify-full

uce · uce · commit 609d0f18eed9 · 2021-05-18T12:40:37.000+02:00
When a connection is established, the added modes are treated in the
same way as the existing `require` mode as they both require a TLS
connection.

It's the responsibility of the user to configure the TLS stream to match
the semantics of Postgres client (e.g. enable peer cert verification).
diff --git a/postgres/src/config.rs b/postgres/src/config.rs
@@ -34,7 +34,9 @@ use tokio_postgres::{Error, Socket};
 /// * `options` - Command line options used to configure the server.
 /// * `application_name` - Sets the `application_name` parameter on the server.
 /// * `sslmode` - Controls usage of TLS. If set to `disable`, TLS will not be used. If set to `prefer`, TLS will be used
-///     if available, but not used otherwise. If set to `require`, TLS will be forced to be used. Defaults to `prefer`.
+///     if available, but not used otherwise. If set to `require`, `verify-ca`, or `verify-full`, TLS will be forced to
+///     be used. Defaults to `prefer`. Note that for modes `verify-ca` and `verify-full`, it's up to the user to configure
+///     the SSL stream to respect the desired configuration (e.g. verification of certs, hostname verification).
 /// * `host` - The host to connect to. On Unix platforms, if the host starts with a `/` character it is treated as the
 ///     path to the directory containing Unix domain sockets. Otherwise, it is treated as a hostname. Multiple hosts
 ///     can be specified, separated by commas. Each host will be tried in turn when connecting. Required if connecting
diff --git a/tokio-postgres/src/config.rs b/tokio-postgres/src/config.rs
@@ -42,6 +42,10 @@ pub enum SslMode {
     Prefer,
     /// Require the use of TLS.
     Require,
+    /// Require the use of TLS. Verify peer cert without hostname verification.
+    VerifyCa,
+    /// Require the use of TLS. Verify peer cert and hostname.
+    VerifyFull,
 }
 
 /// Channel binding configuration.
@@ -85,7 +89,9 @@ pub enum Host {
 /// * `options` - Command line options used to configure the server.
 /// * `application_name` - Sets the `application_name` parameter on the server.
 /// * `sslmode` - Controls usage of TLS. If set to `disable`, TLS will not be used. If set to `prefer`, TLS will be used
-///     if available, but not used otherwise. If set to `require`, TLS will be forced to be used. Defaults to `prefer`.
+///     if available, but not used otherwise. If set to `require`, `verify-ca`, or `verify-full`, TLS will be forced to
+///     be used. Defaults to `prefer`. Note that for modes `verify-ca` and `verify-full`, it's up to the user to configure
+///     the SSL stream to respect the desired configuration (e.g. verification of certs, hostname verification).
 /// * `host` - The host to connect to. On Unix platforms, if the host starts with a `/` character it is treated as the
 ///     path to the directory containing Unix domain sockets. Otherwise, it is treated as a hostname. Multiple hosts
 ///     can be specified, separated by commas. Each host will be tried in turn when connecting. Required if connecting
@@ -409,6 +415,8 @@ impl Config {
                     "disable" => SslMode::Disable,
                     "prefer" => SslMode::Prefer,
                     "require" => SslMode::Require,
+                    "verify-ca" => SslMode::VerifyCa,
+                    "verify-full" => SslMode::VerifyFull,
                     _ => return Err(Error::config_parse(Box::new(InvalidValue("sslmode")))),
                 };
                 self.ssl_mode(mode);
diff --git a/tokio-postgres/src/connect_tls.rs b/tokio-postgres/src/connect_tls.rs
@@ -21,7 +21,7 @@ where
         SslMode::Prefer if !tls.can_connect(ForcePrivateApi) => {
             return Ok(MaybeTlsStream::Raw(stream))
         }
-        SslMode::Prefer | SslMode::Require => {}
+        SslMode::Prefer | SslMode::Require | SslMode::VerifyCa | SslMode::VerifyFull => {}
     }
 
     let mut buf = BytesMut::new();
@@ -32,10 +32,11 @@ where
     stream.read_exact(&mut buf).await.map_err(Error::io)?;
 
     if buf[0] != b'S' {
-        if SslMode::Require == mode {
-            return Err(Error::tls("server does not support TLS".into()));
-        } else {
-            return Ok(MaybeTlsStream::Raw(stream));
+        match mode {
+            SslMode::Disable | SslMode::Prefer => return Ok(MaybeTlsStream::Raw(stream)),
+            SslMode::Require | SslMode::VerifyCa | SslMode::VerifyFull => {
+                return Err(Error::tls("server does not support TLS".into()))
+            }
         }
     }
 

Original file line number	Diff line number	Diff line change
`@@ -21,7 +21,7 @@ where`
`21`	`21`	`SslMode::Prefer if !tls.can_connect(ForcePrivateApi) => {`
`22`	`22`	`return Ok(MaybeTlsStream::Raw(stream))`
`23`	`23`	`}`
`24`		`- SslMode::Prefer \| SslMode::Require => {}`
	`24`	`+ SslMode::Prefer \| SslMode::Require \| SslMode::VerifyCa \| SslMode::VerifyFull => {}`
`25`	`25`	`}`
`26`	`26`
`27`	`27`	`let mut buf = BytesMut::new();`
`@@ -32,10 +32,11 @@ where`
`32`	`32`	`stream.read_exact(&mut buf).await.map_err(Error::io)?;`
`33`	`33`
`34`	`34`	`if buf[0] != b'S' {`
`35`		`- if SslMode::Require == mode {`
`36`		`- return Err(Error::tls("server does not support TLS".into()));`
`37`		`- } else {`
`38`		`- return Ok(MaybeTlsStream::Raw(stream));`
	`35`	`+ match mode {`
	`36`	`+ SslMode::Disable \| SslMode::Prefer => return Ok(MaybeTlsStream::Raw(stream)),`
	`37`	`+ SslMode::Require \| SslMode::VerifyCa \| SslMode::VerifyFull => {`
	`38`	`+ return Err(Error::tls("server does not support TLS".into()))`
	`39`	`+ }`
`39`	`40`	`}`
`40`	`41`	`}`
`41`	`42`