Allow configuration of TLS connection

[piraka9011]

Connecting to my AWS RDS postgres instance does not require TLS.

The postgres connection should be specified as requiring TLS or not at run time via the cli flags. It should not be based on compile time conditionals.

[exyi]

That is weird, it behaves differently for me. The compile-time conditionals should only specify if TLS is supported, but it is never required. I can connect to my local PostgreSQL without TLS just fine.

Is it the case that TLS seems supported, but it's broken for some reason?

I can add a cli flag to set if TLS is required/preferred/disabled - it could be used to prevent downgrade attacks and it would allow you to bypass TLS if it's supported but broken.

[piraka9011]

You're right in that the flags are enabled only if TLS is supported. But the connection to postgres itself does not require SSL/TLS and the current implementation assumes all connections will use TLS.

The rust-postgres docs also mention "the NoTls type in this crate can be used when TLS is not required", not when it is not supported. (Emphasis mine)

If you want to read more, this should correspond to the sslmode configuration flag when connecting to a postgres instance.

This is the exact stack trace I get btw when I try to connect.

Error occured while executing command Some(Export(ExportArgs { output_file: "/home/ubuntu/test.parquet", query: Some("<myQuery>"), table: None, compression: None, postgres: PostgresConnArgs { host: "<myHost>", user: Some("root"), dbname: "<myDb>", port: Some(5432), password: None }, schema_settings: SchemaSettingsArgs { macaddr_handling: Text, json_handling: Text, enum_handling: Text, decimal_scale: 18, decimal_precision: 38 } }))

DB connection failed: error performing TLS handshake: error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:../ssl/statem/statem_clnt.c:1883: (self-signed certificate in certificate chain)

I currently built my own pg2parquet hardcoding NoTls in the connection as my knowledge of rust is pretty limited and I can't implement this request myself (I did take a stab at it though...)

As a side note, you should try to make sure the password isn't leaked from the config in the stack trace!

[exyi]

Ok, the problem seems to be that the server is willing to communicate with TLS, but the certificate is self-signed ("self-signed certificate in certificate chain"). I'll add the CLI option to disable it.

As a side note, you should try to make sure the password isn't leaked from the config in the stack trace!

Oh yea, that's stupid, sorry.

[jyeray]

Hi!

I have a similar issue with the TLS, is there any workaround until this is implemented?

Thanks you

[exyi]

Is the problem also that your server seems to support TLS, but the TLS connection in fact fails and you want to force downgrade to non-TLS connection?

In such case, I'd suggest either fixing the TLS or disabling it on the DB :] Anyway, adding the switch to disable TLS should be easy.

For now you could use the static musl build, we did not want to static-link openssl, so it doesn't support TLS connections.

[exyi]

I have added the option:

      --sslmode <SSLMODE>
          Controls whether to use SSL/TLS to connect to the server

          Possible values:
          - disable:
            Do not use TLS
          - prefer:
            Attempt to connect with TLS but allow sessions without (default behavior compiled with SSL support)
          - require:
            Require the use of TLS

It should be published on crates.io, if you want to install using cargo: cargo install pg2parquet@0.1.0-beta.6. I'll reopen the issue, please let me know if it actually helped. I don't know what the exact problem is, so I can't test it (and I'd be too lazy anyway)

[piraka9011]

Thank you!

[jyeray]

@exyi The new sslmode option worked for me, thanks you a lot!