search

brianc / node-postgres

PostgreSQL client for node.js.
https://node-postgres.com
MIT License
12.24k stars 1.22k forks source link

support sslrootcert=system #3101

Open cassus opened 10 months ago

cassus commented 10 months ago

From v16 the postgres client supports a special sslrootcert connection string param that uses the system root certificate storage. It would be great if node-postgres would also support this param

The special value system may be specified instead, in which case the system's trusted CA roots will be loaded. The exact locations of these root certificates differ by SSL implementation and platform. For OpenSSL in particular, the locations may be further modified by the SSL_CERT_DIR and SSL_CERT_FILE environment variables.

https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNECT-SSLROOTCERT

Current behavior

when sslrootcert=system is in the connection string the behavior is TypeError: dr.readFileSync is not a function

sslrootcert=system is already the default behavior of node-postgres, but it's not obvious for me by reading the https://node-postgres.com/features/ssl documentation

Blog post:

I’m pleased to report that the node-postgres TLS implementation defaults to sslrootcert=system behavior unless you explicitly specify the option rejectUnauthorized=false. https://neon.tech/blog/avoid-mitm-attacks-with-psql-postgres-16

charmander commented 10 months ago

sslrootcert=system might already be the default behavior of node-postgres

(it is)

cassus commented 10 months ago

Great! Thanks @charmander! I updated the issue description.

I guess this means that the implementation of this feature would be very easy: just ignore sslrootcert if it's set to system ?