TlsConfig

pgwire_replication::config

Struct TlsConfig 

Source 
pub struct TlsConfig {
    pub mode: SslMode,
    pub ca_pem_path: Option<PathBuf>,
    pub sni_hostname: Option<String>,
    pub client_cert_pem_path: Option<PathBuf>,
    pub client_key_pem_path: Option<PathBuf>,
}
Expand description

TLS/SSL configuration for PostgreSQL connections.

Fields§

§mode: SslMode

SSL mode controlling connection security level.

§ca_pem_path: Option<PathBuf>

Path to PEM file containing trusted CA certificates.

If None and verification is enabled (VerifyCa/VerifyFull), the Mozilla root certificates (webpki-roots) are used.

§sni_hostname: Option<String>

Override SNI hostname sent during TLS handshake.

Useful when:

  • Connecting via IP address but certificate has a DNS name
  • Using a load balancer with different internal/external names

If None, the connection host is used for SNI.

§client_cert_pem_path: Option<PathBuf>

Path to PEM file containing client certificate chain.

Required for mutual TLS (mTLS) authentication. Must be paired with client_key_pem_path.

§client_key_pem_path: Option<PathBuf>

Path to PEM file containing client private key.

Required for mutual TLS (mTLS) authentication. Must be paired with client_cert_pem_path. Supports PKCS#8, PKCS#1 (RSA), and SEC1 (EC) formats.

Implementations§

Source§

impl TlsConfig

Source

pub fn disabled() -> Self

Create a configuration with TLS disabled.

§Example
use pgwire_replication::config::TlsConfig;

let tls = TlsConfig::disabled();
assert!(!tls.mode.requires_tls());
Source

pub fn require() -> Self

Create a configuration requiring TLS without certificate verification.

Warning: This mode is vulnerable to MITM attacks. Use verify_ca() or verify_full() for production.

§Example
use pgwire_replication::config::TlsConfig;

let tls = TlsConfig::require();
assert!(tls.mode.requires_tls());
assert!(!tls.mode.verifies_certificate());
Source

pub fn verify_ca(ca_path: Option<PathBuf>) -> Self

Create a configuration with certificate chain verification.

§Arguments
  • ca_path - Path to CA certificate PEM file, or None for system roots
§Example
use pgwire_replication::config::TlsConfig;

// Using system/Mozilla roots
let tls = TlsConfig::verify_ca(None);

// Using custom CA
let tls = TlsConfig::verify_ca(Some("/path/to/ca.pem".into()));
Source

pub fn verify_full(ca_path: Option<PathBuf>) -> Self

Create a configuration with full verification (chain + hostname).

Recommended for production.

§Arguments
  • ca_path - Path to CA certificate PEM file, or None for system roots
§Example
use pgwire_replication::config::TlsConfig;

let tls = TlsConfig::verify_full(Some("/etc/ssl/certs/ca.pem".into()));
assert!(tls.mode.verifies_hostname());
Source

pub fn with_sni_hostname(self, hostname: impl Into<String>) -> Self

Set SNI hostname override.

§Example
use pgwire_replication::config::TlsConfig;

let tls = TlsConfig::verify_full(None)
    .with_sni_hostname("db.example.com");
Source

pub fn with_client_cert( self, cert_path: impl Into<PathBuf>, key_path: impl Into<PathBuf>, ) -> Self

Configure client certificate for mutual TLS.

§Example
use pgwire_replication::config::TlsConfig;

let tls = TlsConfig::verify_full(Some("/ca.pem".into()))
    .with_client_cert("/client.pem", "/client.key");
Source

pub fn is_mtls(&self) -> bool

Returns true if mutual TLS (client certificate) is configured.

Trait Implementations§

Source§

impl Clone for TlsConfig

Source§

fn clone(&self) -> TlsConfig

Returns a duplicate of the value. Read more
1.0.0 · Source§

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source. Read more
Source§

impl Debug for TlsConfig

Source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more
Source§

impl Default for TlsConfig

Source§

fn default() -> TlsConfig

Returns the “default value” for a type. Read more
Source§

impl PartialEq for TlsConfig

Source§

fn eq(&self, other: &TlsConfig) -> bool

Tests for self and other values to be equal, and is used by ==.
1.0.0 · Source§

fn ne(&self, other: &Rhs) -> bool

Tests for !=. The default implementation is almost always sufficient, and should not be overridden without very good reason.
Source§

impl Eq for TlsConfig

Source§

impl StructuralPartialEq for TlsConfig

Auto Trait Implementations§

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> CloneToUninit for T
where T: Clone,

Source§

unsafe fn clone_to_uninit(&self, dest: *mut u8)

🔬This is a nightly-only experimental API. (clone_to_uninit)
Performs copy-assignment from self to dest. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T> Instrument for T

Source§

fn instrument(self, span: Span) -> Instrumented<Self>

Instruments this type with the provided Span, returning an Instrumented wrapper. Read more
Source§

fn in_current_span(self) -> Instrumented<Self>

Instruments this type with the current Span, returning an Instrumented wrapper. Read more
Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T> Same for T

Source§

type Output = T

Should always be Self
Source§

impl<T> ToOwned for T
where T: Clone,

Source§

type Owned = T

The resulting type after obtaining ownership.
Source§

fn to_owned(&self) -> T

Creates owned data from borrowed data, usually by cloning. Read more
Source§

fn clone_into(&self, target: &mut T)

Uses borrowed data to replace owned data, usually by cloning. Read more
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.
Source§

impl<V, T> VZip<V> for T
where V: MultiLane<T>,

Source§

fn vzip(self) -> V

Source§

impl<T> WithSubscriber for T

Source§

fn with_subscriber<S>(self, subscriber: S) -> WithDispatch<Self>
where S: Into<Dispatch>,

Attaches the provided Subscriber to this type, returning a WithDispatch wrapper. Read more
Source§

fn with_current_subscriber(self) -> WithDispatch<Self>

Attaches the current default Subscriber to this type, returning a WithDispatch wrapper. Read more