diff --git a/packages/pg-connection-string/README.md b/packages/pg-connection-string/README.md index 360505e0d..a65dd139f 100644 --- a/packages/pg-connection-string/README.md +++ b/packages/pg-connection-string/README.md @@ -68,8 +68,10 @@ Query parameters follow a `?` character, including the following special query p * `ssl=1`, `ssl=true`, `ssl=0`, `ssl=false` - sets `ssl` to true or false, accordingly * `sslmode=` * `sslmode=disable` - sets `ssl` to false - * `sslmode=no-verify` - sets `ssl` to `{ rejectUnauthorized: false }` - * `sslmode=prefer`, `sslmode=require`, `sslmode=verify-ca`, `sslmode=verify-full` - sets `ssl` to true + * `sslmode=no-verify`, `sslmode=prefer` - sets `ssl` to `{ rejectUnauthorized: false }` + * `sslmode=require` - sets `ssl` to `{ rejectUnauthorized: false }` unless `sslrootcert` is specified, in which case it behaves like `verify-ca` + * `sslmode=verify-ca` - sets `ssl` to `{ checkServerIdentity: no-op }` (verify CA, but not server identity) + * `sslmode=verify-full` - sets `ssl` to `{}` (verify CA and server identity) * `sslcert=` - reads data from the given file and includes the result as `ssl.cert` * `sslkey=` - reads data from the given file and includes the result as `ssl.key` * `sslrootcert=` - reads data from the given file and includes the result as `ssl.ca` diff --git a/packages/pg-connection-string/index.js b/packages/pg-connection-string/index.js index 995ff0684..5ac8030e7 100644 --- a/packages/pg-connection-string/index.js +++ b/packages/pg-connection-string/index.js @@ -87,15 +87,26 @@ function parse(str) { break } case 'prefer': - case 'require': - case 'verify-ca': - case 'verify-full': { - break - } case 'no-verify': { config.ssl.rejectUnauthorized = false break } + case 'require': { + if (config.sslrootcert) { + // If a root CA is specified, behavior of `sslmode=require` will be the same as that of `verify-ca` + config.ssl.checkServerIdentity = function () {} + } else { + config.ssl.rejectUnauthorized = false + } + break + } + case 'verify-ca': { + config.ssl.checkServerIdentity = function () {} + break + } + case 'verify-full': { + break + } } return config diff --git a/packages/pg-connection-string/test/parse.js b/packages/pg-connection-string/test/parse.js index a0cd26385..69dd96015 100644 --- a/packages/pg-connection-string/test/parse.js +++ b/packages/pg-connection-string/test/parse.js @@ -258,19 +258,24 @@ describe('parse', function () { it('configuration parameter sslmode=prefer', function () { var connectionString = 'pg:///?sslmode=prefer' var subject = parse(connectionString) - subject.ssl.should.eql({}) + subject.ssl.should.eql({ + rejectUnauthorized: false, + }) }) it('configuration parameter sslmode=require', function () { var connectionString = 'pg:///?sslmode=require' var subject = parse(connectionString) - subject.ssl.should.eql({}) + subject.ssl.should.eql({ + rejectUnauthorized: false, + }) }) it('configuration parameter sslmode=verify-ca', function () { var connectionString = 'pg:///?sslmode=verify-ca' var subject = parse(connectionString) - subject.ssl.should.eql({}) + subject.ssl.should.have.property('checkServerIdentity').that.is.a('function') + expect(subject.ssl.checkServerIdentity()).to.be.undefined }) it('configuration parameter sslmode=verify-full', function () { @@ -282,9 +287,9 @@ describe('parse', function () { it('configuration parameter ssl=true and sslmode=require still work with sslrootcert=/path/to/ca', function () { var connectionString = 'pg:///?ssl=true&sslrootcert=' + __dirname + '/example.ca&sslmode=require' var subject = parse(connectionString) - subject.ssl.should.eql({ - ca: 'example ca\n', - }) + subject.ssl.should.have.property('ca', 'example ca\n') + subject.ssl.should.have.property('checkServerIdentity').that.is.a('function') + expect(subject.ssl.checkServerIdentity()).to.be.undefined }) it('allow other params like max, ...', function () {