Expand description
TLS support using rustls.
This module provides TLS/SSL connection upgrade for PostgreSQL connections using the rustls library. It supports:
- All PostgreSQL SSL modes (disable, prefer, require, verify-ca, verify-full)
- Custom CA certificates
- Client certificate authentication (mTLS)
- SNI hostname override
§SSL Modes
| Mode | Chain Verified | Hostname Verified | Falls back to plain |
|---|---|---|---|
Disable | - | - | N/A (never uses TLS) |
Prefer | No | No | Yes |
Require | No | No | No |
VerifyCa | Yes | No | No |
VerifyFull | Yes | Yes | No |
§Security Considerations
PreferandRequiremodes are vulnerable to MITM attacksVerifyCaprotects against MITM but allows any hostnameVerifyFullprovides full protection (recommended for production)
§Example
use pgwire_replication::config::TlsConfig;
use pgwire_replication::tls::rustls::{maybe_upgrade_to_tls, MaybeTlsStream};
use tokio::net::TcpStream;
use std::path::PathBuf;
#[tokio::main]
async fn main() -> Result<(), Box<dyn std::error::Error>> {
let tls_config = TlsConfig::verify_full(Some(PathBuf::new()))
.with_sni_hostname("db.example.com");
let tcp_stream = TcpStream::connect(("db.example.com", 5432)).await?;
let stream = maybe_upgrade_to_tls(tcp_stream, &tls_config, "db.example.com").await?;
match stream {
MaybeTlsStream::Plain(_) => {}
MaybeTlsStream::Tls(_) => {}
}
Ok(())
}Enums§
- Maybe
TlsStream - A stream that may or may not be TLS-encrypted.
Functions§
- maybe_
upgrade_ to_ tls - Attempt to upgrade a TCP connection to TLS based on configuration.