search

rwf2 / Rocket

A web framework for Rust.
https://rocket.rs
Other
24.62k stars 1.57k forks source link

sslmode=required not working for rocket_db_pool with feature diesel_postgres #2820

Open xscoops opened 4 months ago

xscoops commented 4 months ago

What's missing?

I would like to use rocket_db_pool with feature diesel_postgres with sslmode=require in the connection url. Unfortunately I get the following error message:

   >> Matched: (a) GET /a
   >> Request guard `Connection < Db >` failed: Some(Get(Backend(ConnectionError(CouldntSetupConfiguration(DatabaseError(UnableToSendCommand, "error performing TLS handshake: no TLS implementation configured")))))).
   >> Outcome: Error(503 Service Unavailable)
   >> No 503 catcher registered. Using Rocket default.
   >> Response succeeded.

I have seen the following message on the diesel-async repo but I have no idea how to integrate the example with my Rocket application:

In the event of using this crate with a sslmode=require flag, it will be necessary to build a TLS cert. There is an example provided for doing this using the rustls crate in the postgres examples folder.

Any help would be greatly appreciated

Ideal Solution

No response

Why can't this be implemented outside of Rocket?

I believe Rocket should have support for secure database built in

Are there workarounds usable today?

There is a diesel-async workaround is described here: https://github.com/weiznich/diesel_async/blob/main/examples/postgres/pooled-with-rustls/src/main.rs

Alternative Solutions

No response

Additional Context

No response

System Checks

the10thWiz commented 4 months ago

The issue is likely that the underlying tokio_postrgess implementation is refusing the connection, since it doesn't trust the tls certificate provided by the database. To fix this, you need to either use unencrypted communication, or add the certificate to the list of trusted certificates. The workaround works by creating a custom tls config, with the added trusted cert, but you might also be able to add the cert to the OS's list of trusted certs.

In many cases, encrypting the connection to the database isn't needed, since the database is (due to the network structure) inaccessible from anywhere except the application server.