Open hessjcg opened 1 month ago
This is going to be slightly complex to validate during the TLS handshake.
For pg8000
, pymysql
and pytds
it is probably possible to adjust the ssl.wrap_socket()
to set do_handshake_on_connect
to False, do our verification and then call do_handshake()
. Python ssl.wrap_socket documentation
But for asyncpg
we don't have control over the handshake at all as it is done in the asyncpg code, we just pass it the SSL/TLS context object.
Feature Description
The server certificate's subject CN field in the server certificate will contain the instance name in the form "{project}:{instance}". The python connector should validate that this is correctly set during the TLS handshake. The connector should reject the connection if this the server CN is not set correctly.
See also: https://github.com/GoogleCloudPlatform/cloud-sql-jdbc-socket-factory/issues/1995