Support sslrootcert= connection string parameter for verifying SSL to postgres
#652
Labels
Comments
gajus
added a commit
that referenced
this issue
Dec 3, 2024
gajus
added a commit
that referenced
this issue
Dec 3, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
It would appear that the
sslrootcert=connection string parameter is not supported, which means that you can not use verified SSL / TLS to a postgres database host using a certificate from a private CA, which includes Amazon RDS. If your database is using a certificate from a non-publicly trusted CA, the best you can do isno-verifywhich will give you SSL / TLS, but leave you vulnerable to a man-in-the-middle proxy.More info on Amazon RDS certificates: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html
Source for downloading RDS root certificates for verification: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html#UsingWithRDS.SSL.CertificatesDownload
Desired Behavior
Using a connection string such as
postgres://user:pass@host/database?sslmode=require&sslrootcert=/path/to/cert.pemwould result in a successful connection using TLS.Motivation
If your database is using a certificate from a non-publicly trusted CA, the best you can do is
no-verifywhich will give you SSL / TLS, but leave you vulnerable to a man-in-the-middle proxy. This leaves you one DNS attack or malicious hosts file entry away from streaming your database transactions to unknown attackers in realtime.Implementation
Implement the
sslrootcertconnection string parameter as implemented in other postgresql client implementations, and in the underlyingnode-libpqAPI.The text was updated successfully, but these errors were encountered: