node-postgres icon indicating copy to clipboard operation
node-postgres copied to clipboard
verified publisher icon brianc

no way to set rejectUnauthorized from pg-connection-string

Open hjr3 opened this issue 5 years ago • 9 comments

Now that rejectUnauthorized is being defaulted to true, there is no way to modify that from the connection string. Some libraries (example are setting opposite defaults to try and ease the migration.

hjr3 avatar Jul 16 '20 01:07 hjr3

My recommendation:

In general, we should adhere to the libpq connection URI documentation. Specifically, we should support the Parameter Key Words.

  • introduce sslmode. For non-native mode, I do not think we can easily support allow or prefer. I also think verify-ca will not work as expected as rejectUnauthorized seems to check the host. We can document the mapping for non-native mode like this:
sslmode Will connection via SSL/TLS? rejectUnauthorized
disable no n/a
allow no n/a
prefer no n/a
require yes false
verify-ca yes false
verify-full yes true

I do not feel great about verify-ca not setting rejectUnauthorized = true. https://github.com/brianc/node-postgres-docs/issues/79 shows that rejectUnauthorized often requires the host to be specified. This is more strict than the true meaning of verify-ca. That being said, I wonder if we should make it rejectUnauthorized = true even though the postgres documentation states that verify-ca will not check the host.

  • deprecate ssl. If both ssl and sslmode are specified, sslmode will win
  • if ssl is set, also set rejectUnauthorized: true. This maintains the node default but makes it more obvious as to what is going on

hjr3 avatar Jul 16 '20 01:07 hjr3

If https://github.com/brianc/node-postgres/issues/2263 lands, then maybe verify-ca will just work :tm:

hjr3 avatar Jul 16 '20 02:07 hjr3

I have the same problem. Any solution on this ?

lroal avatar Nov 05 '20 14:11 lroal

+1 for supporting sslmode keywords. I expected: ssl: { require: false } to be equivalent to the "allow" sslmode keyword, so that my connection would use SSL if the server allowed or required it but not if it didn't. I don't see a way to get the equivalent of "allow" with node-postgres. UPDATE: I don't think require: false is a valid option in the ssl object. I saw an example here but it is not in the node-postgres doc.

radcapitalist avatar Feb 12 '21 14:02 radcapitalist

We are struggling with this as well. Ideally we want to be able to set sslmode: prefer for the ssl option.

the21st avatar Sep 02 '21 11:09 the21st

You can pass sslmode=no-verify in the connection string or you can set env var PGSSLMODE=no-verify

bdwyertech avatar Nov 30 '21 23:11 bdwyertech

Hi everyone, I have a requirement to use verify-ca - with the AWS RDS proxy service the hostname is invalid and you can only check the CA. The OS already has the relevant AWS CA installed.

I'm not clear on whether doing the above (set rejectUnauthorized: false) will actually check the CA? Is there an equivalent to the native verify-ca option or do I need to specify the CA certificate to make it check just the CA?

:+1: for having an sslmode argument but want to make sure it'll actually match psql configuration exactly

ollytheninja avatar Jan 18 '22 20:01 ollytheninja

@bdwyertech mentioned good-enough workaround:

You can pass sslmode=no-verify in the connection string or you can set env var PGSSLMODE=no-verify

It is undocumented by libpq but mentioned by @pmalouin here: https://github.com/brianc/node-postgres/pull/2709#issue-1146272544

ceefour avatar Dec 28 '22 05:12 ceefour