Description
I have found these related issues/pull requests
Mentioned in #3264, although that issue is not directly relevant.
Description
Overview
PostgreSQL 17.0 introduced a new connection parameter called sslnegotiation that allows clients to establish TLS connections directly without the traditional PostgreSQL-specific SSL negotiation preamble. This feature offers performance benefits and better compatibility with certain proxy configurations.
• PostgreSQL 17.0 Release Notes
• libpq Connection Parameters Documentation
Current Limitation
Currently, SQLx only supports the traditional PostgreSQL SSL negotiation method, which requires an extra round-trip and protocol-specific messages. This can cause issues with certain proxies (like mitmproxy and some corporate proxies) that don't understand the PostgreSQL protocol.
Prefered solution
Proposed Solution
Add support for the sslnegotiation connection parameter in SQLx's PostgreSQL connector, allowing users to choose between:
• postgres (default): Traditional negotiation for backward compatibility
• direct: New direct TLS negotiation for PostgreSQL 17+ servers
Benefits
- Performance improvement: Fewer messages required to establish a secure connection
- Better proxy compatibility: Works with proxies like
mitmproxythat don't understand PostgreSQL protocol - Alignment with PostgreSQL ecosystem:
libpqand other PostgreSQL drivers already support this feature
Is this a breaking change? Why or why not?
This should not be a breaking change, given libpq and other drivers support it already. The default sslnegotiation value results in the same connection procedure which was used previously. Use of the sslnegotiation=direct value would be opt-in only.