Use platform native implementation of TLS/SSL #214
Comments
|
The TLS implementation is pluggable - there are currently implementations for OpenSSL and OSX's Secure Transport. The only reason an SChannel implementation is missing is that I don't have Postgres installed on my Windows machine :). Would you be interested in making a PR with an implementation using the https://crates.io/crates/schannel crate? |
|
I will try.
|
|
I've just added support for the native-tls crate, which will use SChannel on Windows: 667b730 It would still be reasonable to support schannel directly, of course! |
|
I've just pushed branch origin into my fork with 2 commits.
Looking in rust-native-tls code i found that when building credentials on credentials builder it is executed only enable_protocols method with provided tls1+ protocols. |
|
The certificate error is probably because the certificate your Postgres is configured with isn't registered in your system's trust root. |
|
I have no problem connecting without providing ca certificate with pgjdbc or pgadmin3 or odbc etc. Certificate is qualified. I need to provide ca certificate to openssl only in windows. Just checked on linux it works without provide ca certificate. |
|
All of those things have different trust stores. pgjdbc will pull it from the Java keystore. pgadmin will apparently ignore the certificate entirely by default (!). If it's working on Linux, I'd assume it's because the root certificate was added to the trust store there. |
|
In pgadmin ssl is set required (checked certificate). Certificate is trusted by Certum Trusted Network CA. |
|
Oh, not totally sure if it's commercially signed, unless Windows doesn't trust that root maybe? |
|
trust |
|
What about ODBC mentioned earlier? |
|
I'm not familiar with ODBC personally, unfortunately. The trust issue seems like something that should be filed against the schannel-rs repo I think, ideally with a repro against a publicly accessible server. |
|
I just tested simple test connection to web server via tls (same server host as postgresql's and same certificate with same ca-bundle) using example code in test.rs in schannel-rs and it succeed. I could test that simple connection to postgresql via tlsstream but I don't know how to talk to postgres. |
|
Interesting! Doing a TLS handshake with Postgres takes a bit of work, but isn't too terrible:
|
|
The same errors with simple connection... but I found the cause. It was postgresql server configuration. According to documentation when in postgresql.conf is defined ssl_ca_file, then certificate from that file is used for validating client certificate provided by client (what?) even if actually this certificate is not used after. Without ssl_ca_file this client certificate is not verified and connection is successful. |
|
I like this native-tls implementation - simple and multiplatform. |
|
Ah ha! Client certificate authentication is a somewhat rarely used feature of SSL. Glad you're finding native-tls useful! |
On windows openssl is not using system certificate store. Even if you have postgresql server secured with qualified certificate, you need to provide its qualified CA certificate for successful handshake.
This CA certificate should be in system certificate store.
Solution is to use native tls implementation which have access to system certificate store.
The text was updated successfully, but these errors were encountered: