config: add sslmode verify-ca and verify-full

When a connection is established, the added modes are treated in the same way as the existing `require` mode as they both require a TLS connection. It's the responsibility of the user to configure the TLS stream to match the semantics of Postgres client (e.g. enable peer cert verification).
MaterializeInc · uce · May 17, 2021 · May 17, 2021 · May 17, 2021 · May 18, 2021
commit cc45c4f0badb1f705ee76cfade7ec0e1c4b3080c
diff --git a/postgres/src/config.rs b/postgres/src/config.rs
@@ -34,7 +34,9 @@ use tokio_postgres::{Error, Socket};
 /// * `options` - Command line options used to configure the server.
 /// * `application_name` - Sets the `application_name` parameter on the server.
 /// * `sslmode` - Controls usage of TLS. If set to `disable`, TLS will not be used. If set to `prefer`, TLS will be used
-///     if available, but not used otherwise. If set to `require`, TLS will be forced to be used. Defaults to `prefer`.
+///     if available, but not used otherwise. If set to `require`, `verify-ca`, or `verify-full`, TLS will be forced to
+///     be used. Defaults to `prefer`. Note that for modes `verify-ca` and `verify-full`, it's up to the user to configure
+///     the SSL stream to respect the desired configuration (e.g. verification of certs, hostname verification).
 /// * `host` - The host to connect to. On Unix platforms, if the host starts with a `/` character it is treated as the
 ///     path to the directory containing Unix domain sockets. Otherwise, it is treated as a hostname. Multiple hosts
 ///     can be specified, separated by commas. Each host will be tried in turn when connecting. Required if connecting

diff --git a/tokio-postgres/src/config.rs b/tokio-postgres/src/config.rs
@@ -42,6 +42,10 @@ pub enum SslMode {
     Prefer,
     /// Require the use of TLS.
     Require,
+    /// Require the use of TLS. Verify peer cert without hostname verification.
+    VerifyCa,
+    /// Require the use of TLS. Verify peer cert and hostname.
+    VerifyFull,
 }
 
 /// Channel binding configuration.
@@ -95,7 +99,9 @@ pub enum Host {
 /// * `options` - Command line options used to configure the server.
 /// * `application_name` - Sets the `application_name` parameter on the server.
 /// * `sslmode` - Controls usage of TLS. If set to `disable`, TLS will not be used. If set to `prefer`, TLS will be used
-///     if available, but not used otherwise. If set to `require`, TLS will be forced to be used. Defaults to `prefer`.
+///     if available, but not used otherwise. If set to `require`, `verify-ca`, or `verify-full`, TLS will be forced to
+///     be used. Defaults to `prefer`. Note that for modes `verify-ca` and `verify-full`, it's up to the user to configure
+///     the SSL stream to respect the desired configuration (e.g. verification of certs, hostname verification).
 /// * `host` - The host to connect to. On Unix platforms, if the host starts with a `/` character it is treated as the
 ///     path to the directory containing Unix domain sockets. Otherwise, it is treated as a hostname. Multiple hosts
 ///     can be specified, separated by commas. Each host will be tried in turn when connecting. Required if connecting
@@ -432,6 +438,8 @@ impl Config {
                     "disable" => SslMode::Disable,
                     "prefer" => SslMode::Prefer,
                     "require" => SslMode::Require,
+                    "verify-ca" => SslMode::VerifyCa,
+                    "verify-full" => SslMode::VerifyFull,
                     _ => return Err(Error::config_parse(Box::new(InvalidValue("sslmode")))),
                 };
                 self.ssl_mode(mode);

diff --git a/tokio-postgres/src/connect_tls.rs b/tokio-postgres/src/connect_tls.rs
@@ -21,7 +21,7 @@ where
         SslMode::Prefer if !tls.can_connect(ForcePrivateApi) => {
             return Ok(MaybeTlsStream::Raw(stream))
         }
-        SslMode::Prefer | SslMode::Require => {}
+        SslMode::Prefer | SslMode::Require | SslMode::VerifyCa | SslMode::VerifyFull => {}
     }
 
     let mut buf = BytesMut::new();
@@ -32,10 +32,11 @@ where
     stream.read_exact(&mut buf).await.map_err(Error::io)?;
 
     if buf[0] != b'S' {
-        if SslMode::Require == mode {
-            return Err(Error::tls("server does not support TLS".into()));
-        } else {
-            return Ok(MaybeTlsStream::Raw(stream));
+        match mode {
+            SslMode::Disable | SslMode::Prefer => return Ok(MaybeTlsStream::Raw(stream)),
+            SslMode::Require | SslMode::VerifyCa | SslMode::VerifyFull => {
+                return Err(Error::tls("server does not support TLS".into()))
+            }
         }
     }