Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

pg does not support TLS/SSL protocol restriction. #1769

Closed
glepsky opened this issue Nov 12, 2018 · 2 comments
Closed

pg does not support TLS/SSL protocol restriction. #1769

glepsky opened this issue Nov 12, 2018 · 2 comments

Comments

@glepsky
Copy link
Contributor

glepsky commented Nov 12, 2018
edited

We need to restrict communication protocols to TLS 1.1 and TLS 1.2. I have tried to set poolOptions.ssl.secureOptions = SSL_OP_NO_TLSv1 | SSL_OP_NO_SSLv3 | SSL_OP_NO_SSLv2 and then call new pg.Pool(poolOptions);.
However, ssl.secureOption is not supported by pg - in connection.js, during streamcreation the secureOptions property is not copied to tls.connect() argument (ConnectionOptions).

Adding secureOptions: self.ssl.secureOptions to the ConnectionOptions instance seems to fix the problem.

Would you accept a fix that would copy over the ssl.secureOptions to tls.connect() argument?
Something like

   self.stream = tls.connect({
      socket: self.stream,
      servername: host,
      checkServerIdentity: self.ssl.checkServerIdentity || tls.checkServerIdentity,
      rejectUnauthorized: self.ssl.rejectUnauthorized,
      ca: self.ssl.ca,
      pfx: self.ssl.pfx,
      key: self.ssl.key,
      passphrase: self.ssl.passphrase,
      cert: self.ssl.cert,
      secureOptions: self.ssl.secureOptions,
      NPNProtocols: self.ssl.NPNProtocols
    })
@brianc
Copy link
Owner

brianc commented Nov 29, 2018

Yes I definitely would accept a fix for that!

glepsky pushed a commit to glepsky/node-postgres that referenced this issue Jan 7, 2019
Issue brianc#1769 - Inability to restrict communication protocols to …
7f080ec 
…set in ssl configuration

- Propagate client's ssl.secureOptions config to TLS.
@glepsky
Copy link
Contributor Author

glepsky commented Jan 7, 2019

@brianc Created a pull request #1804 for this issue.

brianc pushed a commit that referenced this issue Jan 8, 2019
@glepsky @brianc
Issue #1769 - Inability to restrict communication protocols to set in…
ccbccc9 
… ssl configuration (#1804)

- Propagate client's ssl.secureOptions config to TLS.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@brianc @charmander @glepsky