lemmy icon indicating copy to clipboard operation
lemmy copied to clipboard
verified publisher icon LemmyNet

Add TLS support for diesel-async database connections

Open sunaurus opened this issue 2 years ago • 1 comments

This PR adds a new tls_enabled configuration option in the database block of lemmy.hsjon. When configured to true, Lemmy will create SSL connections to the postgres database through diesel-async.

By default, the database certificate will be verified using the OS certificate store (thanks to rustls-native-certs), but users can also provide a path to a CA certificate file directly using the LEMMY_DATABASE_CERT_PATH env variable if necessary.

Note, by default tls_enabled will be false, so using SSL connections will be entirely opt-in.

This fixes #3007

sunaurus avatar Jun 18 '23 21:06 sunaurus

I have significantly reduced the scope of this PR: it only aims to provide support for sslmode=require now (which means that a TLS connection will be used - preventing eavesdropping - but the server identity will not be verified).

No new configuration parameters are needed anymore, sslmode=require is parsed from the database connection string.

After discussions with some other admins, I realized that sslmode=require support would provide the biggest ROI while keeping the code much simpler compared to trying to support additional sslmodes.

sunaurus avatar Jun 23 '23 18:06 sunaurus

I see what you did here 👀

tristanisham avatar Jun 30 '23 23:06 tristanisham