Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support sslrootcert= connection string parameter for verifying SSL to postgres #652

Open
cflanny opened this issue Nov 20, 2024 · 2 comments

Comments

@cflanny
Copy link

cflanny commented Nov 20, 2024

It would appear that the sslrootcert= connection string parameter is not supported, which means that you can not use verified SSL / TLS to a postgres database host using a certificate from a private CA, which includes Amazon RDS. If your database is using a certificate from a non-publicly trusted CA, the best you can do is no-verify which will give you SSL / TLS, but leave you vulnerable to a man-in-the-middle proxy.

More info on Amazon RDS certificates: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html

Source for downloading RDS root certificates for verification: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html#UsingWithRDS.SSL.CertificatesDownload

Desired Behavior

Using a connection string such as postgres://user:pass@host/database?sslmode=require&sslrootcert=/path/to/cert.pem would result in a successful connection using TLS.

Motivation

If your database is using a certificate from a non-publicly trusted CA, the best you can do is no-verify which will give you SSL / TLS, but leave you vulnerable to a man-in-the-middle proxy. This leaves you one DNS attack or malicious hosts file entry away from streaming your database transactions to unknown attackers in realtime.

Implementation

Implement the sslrootcert connection string parameter as implemented in other postgresql client implementations, and in the underlying node-libpq API.

@gajus
Copy link
Owner

gajus commented Dec 3, 2024

@cflanny I am not super familiar with the SSL configuration in Postgres, but take a look at whether this solves it for you.

#653

gajus added a commit that referenced this issue Jan 3, 2025
* style: add missing line breaks

* feat: add the ability to configure sslrootcert, sslkey and sslrootcert (#652)

* feat: add the ability to configure sslrootcert, sslkey and sslrootcert (#652)

* style: apply eslint fixes

* chore: add cspell exceptions for ssl

* docs: add changeset

* docs: elaborate on supported dsn parameters

* docs: elaborate on supported dsn parameters

* fix: remove explicit default

* refactor: move test SSLs to a package

* lint

* test: add framework for testing ssl
@gajus
Copy link
Owner

gajus commented Jan 6, 2025

@cflanny Do you have a second to evaluate the proposed solution?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants