From ef6bc46c79121a4050bc43fafd485418c57ff419 Mon Sep 17 00:00:00 2001 From: SamyOubouaziz Date: Mon, 10 Jun 2024 15:03:04 +0200 Subject: [PATCH 1/7] docs(sdb): add new frameworks to SSL/TLS MTA-4594 --- .../api-cli/secure-connection-ssl-tls.mdx | 87 +++++++++++++++++-- 1 file changed, 82 insertions(+), 5 deletions(-) diff --git a/serverless/sql-databases/api-cli/secure-connection-ssl-tls.mdx b/serverless/sql-databases/api-cli/secure-connection-ssl-tls.mdx index 9accca8c86..a13ffb2f7b 100644 --- a/serverless/sql-databases/api-cli/secure-connection-ssl-tls.mdx +++ b/serverless/sql-databases/api-cli/secure-connection-ssl-tls.mdx @@ -13,11 +13,18 @@ dates: This documentation will guide you through SSL/TLS configuration in your PostgreSQL-compatible client to ensure your traffic with Scaleway's Serverless SQL Databases is encrypted. Configuration examples for languages, frameworks and tools: - - [Python](#pythonpsycopg2) - - [Python](#pythondjango) - - [Node.js](#nodejsnode-postgres) - - [Node.js](#nodejspostgresjs) - - [Node.js](#javajdbc) + - [Python/psycopg2](#pythonpsycopg2) + - [Python/Django](#pythondjango) + - [Python/asyncpg](#pythonasyncpg) + - [Node.js/node-postgres](#nodejsnode-postgres) + - [Node.js/Postgres.js](#nodejspostgresjs) + - [Node.js/Prisma](#nodejspostgresjs) + - [Go/pq](#gopq) + - [Go/pgx](#gopgx) + - [PHP/pgsql](#phppgsql) + - [Java/JDBC](#javajdbc) + - [C#/.NET/Npgsql](#cnetnpgsql) + - [Rust/rust-postgres](#rustrust-postgres) - [psql](#psql) ## Generic configuration settings @@ -85,6 +92,17 @@ DATABASES = { } ``` +### Python/asyncpg + +[asyncpg](https://github.com/MagicStack/asyncpg) supports `sslmode=verify-full` but doesn't support yet `sslrootcert=system` option. To ensure SSL / TLS is enforced and server certificate is valid, edit your connection parameters to set `sslmode=verify-full`, download the [Let's Encrypt ISRG Root X1 (pem format)](https://letsencrypt.org/certs/isrgrootx1.pem), rename it `root.crt`, and store it in `~/.postgresql/root.crt`: + ```python + conn = await asyncpg.connect("postgresql://{username}:{password}@{host}:{port}/{databasename}?sslmode=verify-full") + ``` + Alternatively, you can also add the property "sslrootcert=full/path/to/certificate/isrgrootx1.pem" to specify the full path to the certificate without renaming it `root.crt`: + ```python + conn = await asyncpg.connect("postgresql://{username}:{password}@{host}:{port}/{databasename}?sslmode=verify-full&sslrootcert=full/path/to/certificate/isrgrootx1.pem") + ``` + ### Node.js/node-postgres [node-postgres](https://node-postgres.com/) doesn't support `sslmode=verify-full` and `sslrootcert=system`, but either the default connection string option `sslmode=require` or the driver-specific parameter `ssl:true` option checks for certificate validity. @@ -130,6 +148,29 @@ To ensure SSL/TLS is enforced and the server certificate is valid, add these two DATABASE_URL=postgresql://{username}:{password}@{host}:{port}/{databasename}?sslmode=require&sslaccept=strict ``` +### Go/pq + +[pq](https://github.com/lib/pq) supports `sslmode=verify-full` option but not `sslrootcert=system`. However, when using `sslmode=verify-full`, checks will also be made againt default Certification Authority certificates trusted by your Operating System as if `sslrootcert=system` parameter was set. To ensure SSL / TLS is enforced and server certificate is valid, edit your connection parameters to set `sslmode=verify-full` parameter: + ```go + connString := "postgresql://{username}:{password}@{host}:{port}/{databasename}?sslmode=verify-full" + conn, err := pgx.Connect(context.Background(), connString) + ``` + +### Go/pgx + +[pgx](https://github.com/jackc/pgx) supports `sslmode=verify-full` option but not `sslrootcert=system`. However, when using `sslmode=verify-full`, checks will also be made againt default Certification Authority certificates trusted by your Operating System as if `sslrootcert=system` parameter was set. To ensure SSL / TLS is enforced and server certificate is valid, edit your connection parameters to set `sslmode=verify-full` parameter: + ```go + connString := "postgresql://{username}:{password}@{host}:{port}/{databasename}?sslmode=verify-full" + db, err := sql.Open("postgres", connString) + ``` + +### PHP/pgsql + +As the default PostgreSQL driver bundled with PHP, [pgsql](https://www.php.net/manual/en/book.pgsql.php) uses [libpq](https://www.postgresql.org/docs/current/libpq.html), the same official PostgreSQL parameter can be used. Edit your connecton parameters to add `sslmode=verify-full` and `sslrootcert=system` parameters: + ```php + $dbconn = pg_connect("host={host} port={port} dbname={databasename} user={username} password={password} sslmode=verify-full sslrootcert=system") + ``` + ### Java/JDBC JDBC driver does not support the `sslrootcert=system` option, but supports the `ssl=true` option which, when enabled, performs certificate checks by default against the certificate named `root.crt` stored in `~/.postgresql`. @@ -157,6 +198,42 @@ Alternatively, you can add the property `"sslrootcert=full/path/to/certificate/i Connection conn = DriverManager.getConnection(url,props); ``` +### C#/.NET/Npgsql + +[Npgsql](https://www.npgsql.org/) supports `sslmode=verify-full` option but not `sslrootcert=system`. However, when using `sslmode=verify-full`, checks will also be made againt default Certification Authority certificates trusted by your Operating System as if `sslrootcert=system` parameter was set. To ensure SSL / TLS is enforced and server certificate is valid, edit your connection parameters to set `sslmode=verify-full` parameter: + ```cs + var connString = "Host={host};Username={username};Password={password};Database={databasename};Port=5432;SSL Mode=VerifyFull;"; + var dataSourceBuilder = new NpgsqlDataSourceBuilder(connString); + ``` + +### Rust + +[rust-postgresql](https://github.com/sfackler/rust-postgres) doesn't support `sslmode=verify-full` and `sslrootcert=system`. However, when using `sslmode=require`, you can also pass a `TlsConnector` object to performed certificate verification and when using the standard [rust-openssl](https://github.com/sfackler/rust-openssl) library, checks will also be made against default Certification Authority certificates trusted by your Operating System as if `sslrootcert=system` parameter was set. To ensure SSL / TLS is enforced and server certificate is valid, edit your connection parameters to set `sslmode=require`: + ```rust + use postgres::{Client}; + use openssl::ssl::{SslConnector, SslMethod}; + use postgres_openssl::{MakeTlsConnector}; + + fn main() { + let builder = SslConnector::builder(SslMethod::tls()).expect("unable to create sslconnector builder"); + let connector = MakeTlsConnector::new(builder.build()); + let mut client = Client::connect("postgresql://{username}:{password}@{host}:{port}/{databasename}?sslmode=require", connector).expect("Connection failed"); + } + ``` + Alternatively, you can also download the [Let's Encrypt ISRG Root X1 (pem format)](https://letsencrypt.org/certs/isrgrootx1.pem), store it in `~/.postgresql/isrgrootx1.pem` and specify the certificate directly using: + ```rust + use postgres::{Client}; + use openssl::ssl::{SslConnector, SslMethod}; + use postgres_openssl::{MakeTlsConnector}; + + fn main() { + let mut builder = SslConnector::builder(SslMethod::tls()).expect("unable to create sslconnector builder"); + builder.set_ca_file("full/path/to/certificate/isrgrootx1.pem").expect("unable to locate certificate file"); + let connector = MakeTlsConnector::new(builder.build()); + let mut client = Client::connect("postgresql://{username}:{password}@{host}:{port}/{databasename}?sslmode=require", connector).expect("Connection failed"); + } + ``` + ## Examples for SQL Client tools ### psql From 770753d67aeaa11e40403644154bb4249d7b8bb4 Mon Sep 17 00:00:00 2001 From: SamyOubouaziz Date: Mon, 10 Jun 2024 16:42:09 +0200 Subject: [PATCH 2/7] docs(sdb): update --- .../api-cli/secure-connection-ssl-tls.mdx | 133 ++++++++++-------- 1 file changed, 77 insertions(+), 56 deletions(-) diff --git a/serverless/sql-databases/api-cli/secure-connection-ssl-tls.mdx b/serverless/sql-databases/api-cli/secure-connection-ssl-tls.mdx index a13ffb2f7b..de5eceea45 100644 --- a/serverless/sql-databases/api-cli/secure-connection-ssl-tls.mdx +++ b/serverless/sql-databases/api-cli/secure-connection-ssl-tls.mdx @@ -80,8 +80,8 @@ DATABASES = { 'default': { 'ENGINE': 'django.db.backends.postgresql', 'NAME': {databasename}, - 'USER': {username}, #IAM principal ID of the user or application your are connecting with - 'PASSWORD': {password}, #IAM Secret Key of the user or application your are connecting with + 'USER': {username}, #IAM principal ID of the user or application you are connecting with + 'PASSWORD': {password}, #IAM Secret Key of the user or application you are connecting with 'HOST': {host}, #Host formated as {database-id}.pg.sdb.{region}.scw.cloud 'PORT': {port}, #Default port for PostgreSQL is supported: 5432 'OPTIONS': { @@ -94,18 +94,22 @@ DATABASES = { ### Python/asyncpg -[asyncpg](https://github.com/MagicStack/asyncpg) supports `sslmode=verify-full` but doesn't support yet `sslrootcert=system` option. To ensure SSL / TLS is enforced and server certificate is valid, edit your connection parameters to set `sslmode=verify-full`, download the [Let's Encrypt ISRG Root X1 (pem format)](https://letsencrypt.org/certs/isrgrootx1.pem), rename it `root.crt`, and store it in `~/.postgresql/root.crt`: - ```python - conn = await asyncpg.connect("postgresql://{username}:{password}@{host}:{port}/{databasename}?sslmode=verify-full") - ``` - Alternatively, you can also add the property "sslrootcert=full/path/to/certificate/isrgrootx1.pem" to specify the full path to the certificate without renaming it `root.crt`: - ```python - conn = await asyncpg.connect("postgresql://{username}:{password}@{host}:{port}/{databasename}?sslmode=verify-full&sslrootcert=full/path/to/certificate/isrgrootx1.pem") - ``` +[asyncpg](https://github.com/MagicStack/asyncpg) supports `sslmode=verify-full`, but does not support the `sslrootcert=system` option yet. + +To make sure SSL/TLS is enforced, and the server certificate is valid, edit your connection parameters to set the `sslmode=verify-full`parameter, download the [Let's Encrypt ISRG Root X1 (pem format)](https://letsencrypt.org/certs/isrgrootx1.pem), rename it `root.crt`, and store it in `~/.postgresql/root.crt`: +```python +conn = await asyncpg.connect("postgresql://{username}:{password}@{host}:{port}/{databasename}?sslmode=verify-full") +``` + +Alternatively, you can add the `sslrootcert=full/path/to/certificate/isrgrootx1.pem` property to specify the full path to the certificate without renaming it `root.crt`: + +```python +conn = await asyncpg.connect("postgresql://{username}:{password}@{host}:{port}/{databasename}?sslmode=verify-full&sslrootcert=full/path/to/certificate/isrgrootx1.pem") +``` ### Node.js/node-postgres -[node-postgres](https://node-postgres.com/) doesn't support `sslmode=verify-full` and `sslrootcert=system`, but either the default connection string option `sslmode=require` or the driver-specific parameter `ssl:true` option checks for certificate validity. +[node-postgres](https://node-postgres.com/) does not support `sslmode=verify-full` and `sslrootcert=system`, but either the default connection string option `sslmode=require` or the driver-specific parameter `ssl:true` option checks for certificate validity. To ensure SSL/TLS is enforced and your server certificate is valid, add `ssl:true` to your connection parameters: ```js @@ -121,7 +125,7 @@ const client = new Client({ ### Node.js/Postgres.js -[Postgres.js](https://github.com/porsager/postgres) doesn't support `sslmode=verify-full` and `sslrootcert=system`, but either the default connection string option `sslmode=require` or the driver-specific parameter `ssl:true` option checks for certificate validity. +[Postgres.js](https://github.com/porsager/postgres) does not support `sslmode=verify-full` and `sslrootcert=system`, but either the default connection string option `sslmode=require` or the driver-specific parameter `ssl:true` option checks for certificate validity. To ensure SSL/TLS is enforced and the server certificate is valid, edit your connection parameters to add `ssl:true` parameters: @@ -140,7 +144,7 @@ const sql = postgres({ You can use several drivers with [Prisma](https://www.prisma.io/docs/orm/overview/databases/postgresql#configuring-an-ssl-connection), refer to their official documentation for more information on how to configure SSL/TLS. -By default, Prisma uses its built-in PostgreSQL driver which doesn't support `sslmode=verify-full` and `sslrootcert=system`, but can perform certificate validity checks by using the `sslmode=require` and `sslaccept=strict` parameters. +By default, Prisma uses its built-in PostgreSQL driver which does not support `sslmode=verify-full` and `sslrootcert=system`, but can perform certificate validity checks by using the `sslmode=require` and `sslaccept=strict` parameters. To ensure SSL/TLS is enforced and the server certificate is valid, add these two parameters to your connection string in your `.env` file: @@ -150,26 +154,35 @@ DATABASE_URL=postgresql://{username}:{password}@{host}:{port}/{databasename}?ssl ### Go/pq -[pq](https://github.com/lib/pq) supports `sslmode=verify-full` option but not `sslrootcert=system`. However, when using `sslmode=verify-full`, checks will also be made againt default Certification Authority certificates trusted by your Operating System as if `sslrootcert=system` parameter was set. To ensure SSL / TLS is enforced and server certificate is valid, edit your connection parameters to set `sslmode=verify-full` parameter: - ```go - connString := "postgresql://{username}:{password}@{host}:{port}/{databasename}?sslmode=verify-full" - conn, err := pgx.Connect(context.Background(), connString) - ``` +[pq](https://github.com/lib/pq) supports the `sslmode=verify-full` option, but not `sslrootcert=system`. However, when using `sslmode=verify-full`, checks will also be made against the default certification authority certificates trusted by your operating system, as if `sslrootcert=system` parameter was set. + +To ensure SSL/TLS is enforced and the server certificate is valid, add `sslmode=verify-full` to your connection parameters: + +```go +connString := "postgresql://{username}:{password}@{host}:{port}/{databasename}?sslmode=verify-full" +conn, err := pgx.Connect(context.Background(), connString) +``` ### Go/pgx -[pgx](https://github.com/jackc/pgx) supports `sslmode=verify-full` option but not `sslrootcert=system`. However, when using `sslmode=verify-full`, checks will also be made againt default Certification Authority certificates trusted by your Operating System as if `sslrootcert=system` parameter was set. To ensure SSL / TLS is enforced and server certificate is valid, edit your connection parameters to set `sslmode=verify-full` parameter: - ```go - connString := "postgresql://{username}:{password}@{host}:{port}/{databasename}?sslmode=verify-full" - db, err := sql.Open("postgres", connString) - ``` +[pgx](https://github.com/jackc/pgx) supports the `sslmode=verify-full` option, but not `sslrootcert=system`. However, when using `sslmode=verify-full`, checks will also be made against default certification authority certificates trusted by your operating system, as if `sslrootcert=system` parameter was set. + +To ensure SSL/TLS is enforced and the server certificate is valid, add `sslmode=verify-full` to your connection parameters: + +```go +connString := "postgresql://{username}:{password}@{host}:{port}/{databasename}?sslmode=verify-full" +db, err := sql.Open("postgres", connString) +``` ### PHP/pgsql -As the default PostgreSQL driver bundled with PHP, [pgsql](https://www.php.net/manual/en/book.pgsql.php) uses [libpq](https://www.postgresql.org/docs/current/libpq.html), the same official PostgreSQL parameter can be used. Edit your connecton parameters to add `sslmode=verify-full` and `sslrootcert=system` parameters: - ```php - $dbconn = pg_connect("host={host} port={port} dbname={databasename} user={username} password={password} sslmode=verify-full sslrootcert=system") - ``` +As the default PostgreSQL driver bundled with PHP, [pgsql](https://www.php.net/manual/en/book.pgsql.php) uses [libpq](https://www.postgresql.org/docs/current/libpq.html). The same official PostgreSQL parameter can therefore be used. + +To ensure SSL/TLS is enforced and the server certificate is valid, add `sslmode=verify-full` and `sslrootcert=system` to your connection parameters: + +```php +$dbconn = pg_connect("host={host} port={port} dbname={databasename} user={username} password={password} sslmode=verify-full sslrootcert=system") +``` ### Java/JDBC @@ -200,39 +213,47 @@ Alternatively, you can add the property `"sslrootcert=full/path/to/certificate/i ### C#/.NET/Npgsql -[Npgsql](https://www.npgsql.org/) supports `sslmode=verify-full` option but not `sslrootcert=system`. However, when using `sslmode=verify-full`, checks will also be made againt default Certification Authority certificates trusted by your Operating System as if `sslrootcert=system` parameter was set. To ensure SSL / TLS is enforced and server certificate is valid, edit your connection parameters to set `sslmode=verify-full` parameter: - ```cs - var connString = "Host={host};Username={username};Password={password};Database={databasename};Port=5432;SSL Mode=VerifyFull;"; - var dataSourceBuilder = new NpgsqlDataSourceBuilder(connString); - ``` +[Npgsql](https://www.npgsql.org/) supports the `sslmode=verify-full` option, but not `sslrootcert=system`. However, when using `sslmode=verify-full`, checks will also be made against default certification authority certificates trusted by your operating system, as if the `sslrootcert=system` parameter was set. + +To ensure SSL/TLS is enforced and the server certificate is valid, add `sslmode=verify-full` to your connection parameters: + +```cs +var connString = "Host={host};Username={username};Password={password};Database={databasename};Port=5432;SSL Mode=VerifyFull;"; +var dataSourceBuilder = new NpgsqlDataSourceBuilder(connString); +``` ### Rust -[rust-postgresql](https://github.com/sfackler/rust-postgres) doesn't support `sslmode=verify-full` and `sslrootcert=system`. However, when using `sslmode=require`, you can also pass a `TlsConnector` object to performed certificate verification and when using the standard [rust-openssl](https://github.com/sfackler/rust-openssl) library, checks will also be made against default Certification Authority certificates trusted by your Operating System as if `sslrootcert=system` parameter was set. To ensure SSL / TLS is enforced and server certificate is valid, edit your connection parameters to set `sslmode=require`: - ```rust - use postgres::{Client}; - use openssl::ssl::{SslConnector, SslMethod}; - use postgres_openssl::{MakeTlsConnector}; +[rust-postgresql](https://github.com/sfackler/rust-postgres) does not support the `sslmode=verify-full` and `sslrootcert=system` options. However, when using `sslmode=require`, you can pass a `TlsConnector` object to perform the certificate verification. - fn main() { - let builder = SslConnector::builder(SslMethod::tls()).expect("unable to create sslconnector builder"); - let connector = MakeTlsConnector::new(builder.build()); - let mut client = Client::connect("postgresql://{username}:{password}@{host}:{port}/{databasename}?sslmode=require", connector).expect("Connection failed"); - } - ``` - Alternatively, you can also download the [Let's Encrypt ISRG Root X1 (pem format)](https://letsencrypt.org/certs/isrgrootx1.pem), store it in `~/.postgresql/isrgrootx1.pem` and specify the certificate directly using: - ```rust - use postgres::{Client}; - use openssl::ssl::{SslConnector, SslMethod}; - use postgres_openssl::{MakeTlsConnector}; - - fn main() { - let mut builder = SslConnector::builder(SslMethod::tls()).expect("unable to create sslconnector builder"); - builder.set_ca_file("full/path/to/certificate/isrgrootx1.pem").expect("unable to locate certificate file"); - let connector = MakeTlsConnector::new(builder.build()); - let mut client = Client::connect("postgresql://{username}:{password}@{host}:{port}/{databasename}?sslmode=require", connector).expect("Connection failed"); - } - ``` +Also, when using the standard [rust-openssl](https://github.com/sfackler/rust-openssl) library, checks will also be made against default certification authority certificates trusted by your operating system as if `sslrootcert=system` parameter was set. + +To ensure SSL / TLS is enforced and the server certificate is valid, add `sslmode=require` to your connection parameters: +```rust +use postgres::{Client}; +use openssl::ssl::{SslConnector, SslMethod}; +use postgres_openssl::{MakeTlsConnector}; + +fn main() { + let builder = SslConnector::builder(SslMethod::tls()).expect("unable to create sslconnector builder"); + let connector = MakeTlsConnector::new(builder.build()); + let mut client = Client::connect("postgresql://{username}:{password}@{host}:{port}/{databasename}?sslmode=require", connector).expect("Connection failed"); +} +``` + +Alternatively, you can download the [Let's Encrypt ISRG Root X1 (pem format)](https://letsencrypt.org/certs/isrgrootx1.pem), store it in `~/.postgresql/isrgrootx1.pem`, and directly specify the certificate: +```rust +use postgres::{Client}; +use openssl::ssl::{SslConnector, SslMethod}; +use postgres_openssl::{MakeTlsConnector}; + +fn main() { + let mut builder = SslConnector::builder(SslMethod::tls()).expect("unable to create sslconnector builder"); + builder.set_ca_file("full/path/to/certificate/isrgrootx1.pem").expect("unable to locate certificate file"); + let connector = MakeTlsConnector::new(builder.build()); + let mut client = Client::connect("postgresql://{username}:{password}@{host}:{port}/{databasename}?sslmode=require", connector).expect("Connection failed"); +} +``` ## Examples for SQL Client tools From 0c09899736ad58de09c1b32e92e3bfa50f88c24b Mon Sep 17 00:00:00 2001 From: SamyOubouaziz Date: Mon, 10 Jun 2024 16:52:07 +0200 Subject: [PATCH 3/7] docs(sdb): update --- .../sql-databases/api-cli/secure-connection-ssl-tls.mdx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/serverless/sql-databases/api-cli/secure-connection-ssl-tls.mdx b/serverless/sql-databases/api-cli/secure-connection-ssl-tls.mdx index de5eceea45..05d6ef6fbb 100644 --- a/serverless/sql-databases/api-cli/secure-connection-ssl-tls.mdx +++ b/serverless/sql-databases/api-cli/secure-connection-ssl-tls.mdx @@ -18,13 +18,13 @@ Configuration examples for languages, frameworks and tools: - [Python/asyncpg](#pythonasyncpg) - [Node.js/node-postgres](#nodejsnode-postgres) - [Node.js/Postgres.js](#nodejspostgresjs) - - [Node.js/Prisma](#nodejspostgresjs) + - [Node.js/Prisma](##nodejsprisma) - [Go/pq](#gopq) - [Go/pgx](#gopgx) - [PHP/pgsql](#phppgsql) - [Java/JDBC](#javajdbc) - [C#/.NET/Npgsql](#cnetnpgsql) - - [Rust/rust-postgres](#rustrust-postgres) + - [Rust/rust-postgres](#rust) - [psql](#psql) ## Generic configuration settings From 130be40e4900b57c63f9018552db49cb22fe3df5 Mon Sep 17 00:00:00 2001 From: SamyOubouaziz Date: Tue, 11 Jun 2024 11:07:37 +0200 Subject: [PATCH 4/7] Update serverless/sql-databases/api-cli/secure-connection-ssl-tls.mdx Co-authored-by: ldecarvalho-doc <82805470+ldecarvalho-doc@users.noreply.github.com> --- serverless/sql-databases/api-cli/secure-connection-ssl-tls.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/serverless/sql-databases/api-cli/secure-connection-ssl-tls.mdx b/serverless/sql-databases/api-cli/secure-connection-ssl-tls.mdx index 05d6ef6fbb..738fd74e0f 100644 --- a/serverless/sql-databases/api-cli/secure-connection-ssl-tls.mdx +++ b/serverless/sql-databases/api-cli/secure-connection-ssl-tls.mdx @@ -228,7 +228,7 @@ var dataSourceBuilder = new NpgsqlDataSourceBuilder(connString); Also, when using the standard [rust-openssl](https://github.com/sfackler/rust-openssl) library, checks will also be made against default certification authority certificates trusted by your operating system as if `sslrootcert=system` parameter was set. -To ensure SSL / TLS is enforced and the server certificate is valid, add `sslmode=require` to your connection parameters: +To ensure SSL/TLS is enforced and the server certificate is valid, add `sslmode=require` to your connection parameters: ```rust use postgres::{Client}; use openssl::ssl::{SslConnector, SslMethod}; From b10b713d9263f146f9721d01ae1ec81fc2edc848 Mon Sep 17 00:00:00 2001 From: SamyOubouaziz Date: Tue, 11 Jun 2024 11:07:45 +0200 Subject: [PATCH 5/7] Update serverless/sql-databases/api-cli/secure-connection-ssl-tls.mdx Co-authored-by: ldecarvalho-doc <82805470+ldecarvalho-doc@users.noreply.github.com> --- serverless/sql-databases/api-cli/secure-connection-ssl-tls.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/serverless/sql-databases/api-cli/secure-connection-ssl-tls.mdx b/serverless/sql-databases/api-cli/secure-connection-ssl-tls.mdx index 738fd74e0f..534cccf83d 100644 --- a/serverless/sql-databases/api-cli/secure-connection-ssl-tls.mdx +++ b/serverless/sql-databases/api-cli/secure-connection-ssl-tls.mdx @@ -96,7 +96,7 @@ DATABASES = { [asyncpg](https://github.com/MagicStack/asyncpg) supports `sslmode=verify-full`, but does not support the `sslrootcert=system` option yet. -To make sure SSL/TLS is enforced, and the server certificate is valid, edit your connection parameters to set the `sslmode=verify-full`parameter, download the [Let's Encrypt ISRG Root X1 (pem format)](https://letsencrypt.org/certs/isrgrootx1.pem), rename it `root.crt`, and store it in `~/.postgresql/root.crt`: +To make sure SSL/TLS is enforced, and the server certificate is valid, edit your connection parameters to set the `sslmode=verify-full` parameter, download the [Let's Encrypt ISRG Root X1 (pem format)](https://letsencrypt.org/certs/isrgrootx1.pem), rename it `root.crt`, and store it in `~/.postgresql/root.crt`: ```python conn = await asyncpg.connect("postgresql://{username}:{password}@{host}:{port}/{databasename}?sslmode=verify-full") ``` From 404d611c140b4a2dd60c9ec47b0d7ddcf45911de Mon Sep 17 00:00:00 2001 From: SamyOubouaziz Date: Tue, 11 Jun 2024 14:57:19 +0200 Subject: [PATCH 6/7] Update serverless/sql-databases/api-cli/secure-connection-ssl-tls.mdx Co-authored-by: nerda-codes <87707325+nerda-codes@users.noreply.github.com> --- serverless/sql-databases/api-cli/secure-connection-ssl-tls.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/serverless/sql-databases/api-cli/secure-connection-ssl-tls.mdx b/serverless/sql-databases/api-cli/secure-connection-ssl-tls.mdx index 534cccf83d..b26d9a862a 100644 --- a/serverless/sql-databases/api-cli/secure-connection-ssl-tls.mdx +++ b/serverless/sql-databases/api-cli/secure-connection-ssl-tls.mdx @@ -109,7 +109,7 @@ conn = await asyncpg.connect("postgresql://{username}:{password}@{host}:{port}/{ ### Node.js/node-postgres -[node-postgres](https://node-postgres.com/) does not support `sslmode=verify-full` and `sslrootcert=system`, but either the default connection string option `sslmode=require` or the driver-specific parameter `ssl:true` option checks for certificate validity. +[node-postgres](https://node-postgres.com/) does not support `sslmode=verify-full` and `sslrootcert=system`, but both the default connection string option `sslmode=require` and the driver-specific parameter `ssl:true` option check for certificate validity. You can use either one of them. To ensure SSL/TLS is enforced and your server certificate is valid, add `ssl:true` to your connection parameters: ```js From de770b55031c48b77401f7e72c0402be1f11ec50 Mon Sep 17 00:00:00 2001 From: SamyOubouaziz Date: Tue, 11 Jun 2024 14:57:54 +0200 Subject: [PATCH 7/7] Apply suggestions from code review Co-authored-by: nerda-codes <87707325+nerda-codes@users.noreply.github.com> --- .../sql-databases/api-cli/secure-connection-ssl-tls.mdx | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/serverless/sql-databases/api-cli/secure-connection-ssl-tls.mdx b/serverless/sql-databases/api-cli/secure-connection-ssl-tls.mdx index b26d9a862a..9f57dc437d 100644 --- a/serverless/sql-databases/api-cli/secure-connection-ssl-tls.mdx +++ b/serverless/sql-databases/api-cli/secure-connection-ssl-tls.mdx @@ -165,9 +165,9 @@ conn, err := pgx.Connect(context.Background(), connString) ### Go/pgx -[pgx](https://github.com/jackc/pgx) supports the `sslmode=verify-full` option, but not `sslrootcert=system`. However, when using `sslmode=verify-full`, checks will also be made against default certification authority certificates trusted by your operating system, as if `sslrootcert=system` parameter was set. +[pgx](https://github.com/jackc/pgx) supports the `sslmode=verify-full` option, but not `sslrootcert=system`. However, when using `sslmode=verify-full`, checks will also be made against default certification authority certificates trusted by your operating system, as if the `sslrootcert=system` parameter was set. -To ensure SSL/TLS is enforced and the server certificate is valid, add `sslmode=verify-full` to your connection parameters: +To ensure SSL/TLS is enforced and the server certificate is valid, add `sslmode=verify-full` to your connection parameters: ```go connString := "postgresql://{username}:{password}@{host}:{port}/{databasename}?sslmode=verify-full" @@ -224,9 +224,9 @@ var dataSourceBuilder = new NpgsqlDataSourceBuilder(connString); ### Rust -[rust-postgresql](https://github.com/sfackler/rust-postgres) does not support the `sslmode=verify-full` and `sslrootcert=system` options. However, when using `sslmode=require`, you can pass a `TlsConnector` object to perform the certificate verification. +[rust-postgresql](https://github.com/sfackler/rust-postgres) does not support the `sslmode=verify-full` and `sslrootcert=system` options. However, when using `sslmode=require`, you can pass a `TlsConnector` object to perform the certificate verification. -Also, when using the standard [rust-openssl](https://github.com/sfackler/rust-openssl) library, checks will also be made against default certification authority certificates trusted by your operating system as if `sslrootcert=system` parameter was set. +Also, when using the standard [rust-openssl](https://github.com/sfackler/rust-openssl) library, checks will also be made against default certification authority certificates trusted by your operating system as if the `sslrootcert=system` parameter was set. To ensure SSL/TLS is enforced and the server certificate is valid, add `sslmode=require` to your connection parameters: ```rust