-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add client SSL authentication using key-file for Postgres, MySQL and MariaDB #1850
Add client SSL authentication using key-file for Postgres, MySQL and MariaDB #1850
Conversation
Thanks for this, @ThibsG! We use YugabyteDB (it's PostgreSQL wire-compatible like CockroachDB) and need to use client certificates for authentication. We've been waiting for this support in order to shift from Diesel to SQLx. Tagging @abonander since he reviewed the previous PR (#1166). I'll do some testing on my end and report back. Thanks again! |
Hi @RabidFire , did you have some time to run some tests? |
I get |
I'd like to see the workflows running, not sure why they're not. |
@abonander it seems that if I push more than 1 time per day-ish, it won't run tests automatically (too heavy I suppose), so it needs approval from maintainer (the link I see is this one: https://docs.github.com/actions/managing-workflow-runs/approving-workflow-runs-from-public-forks) |
PRs from first-time contributors require approval every time a workflow wants to be run. It's a bit annoying but it seems to be a decent precaution as an attacker could open a PR and modify a workflow to submit some secret environment variables like auth tokens to a server they control. |
5caca9b
to
7d07758
Compare
Well thanks that makes perfect sense. I just updated GA workflow to properly remove the previous container so the port is free to spawn the next container. Tests should run well now. |
90b3f76
to
6506063
Compare
I've been playing with this a bit, and one potential issue I have (for the use case I'm looking at) is that configuration of the client certs is dependent on It seems to me that client certificate configuration should be independent of server certificate verification? WDYT? |
Indeed I totally agree, good catch thanks! 😉 |
e14a91a
to
682cd13
Compare
@ThibsG it would also be nice to support combined pem files (cert + key in same file) as that would be rather convenient (and potentially reduce IO/reads in "heavy" envs). something like.
|
@ThibsG current development is on the |
682cd13
to
7ffc133
Compare
@abonander done with rebasing 😉 |
|
I'm testing this with setting PGSSLCERT, PGSSLKEY, and PGSSLROOTCERT environment vars. I'm getting this panic:
Heres my code and the full backtrace and how I set my env vars and my throwaway cert+key. I had suspected that my use of Elliptic Curve keys was causing this, so I switched my root CA, server, and client certs all to use RSA instead. AFAIK it did output a valid pkcs8 key file. It connects with In general, this is how I bring up postgres |
The EC key variant was not handled, this has been fixed, thanks! Also, I changed the target branch to merge this PR into |
FWIW, I'm still getting the same error |
I'm not a cert expert, but your client key seems to be in PKCS#1 format (the header is starting with Looking at source code, it seems also that Try to convert using: |
That fixed it! 🎉 I can confirm this is working now. End-to-End mutual TLS ::) Thank you! |
@EnigmaCurry , you may also want to try |
Confirmed! I fixed my script so it outputs keyfiles in both formats, but now its nice to be able to use either one. Thanks again. |
2ad454f
to
1a7ca30
Compare
8ff9c06
to
60c5cfa
Compare
961b566
to
6b8446f
Compare
6b8446f
to
5d44ae1
Compare
Looks like it's green, glad to finally land this! |
…MariaDB (#1850) * use native-tls API * Add client cert and key to MySQL connector * Add client ssl tests for PostgreSQL * Add client ssl tests for MariaDB and MySQL * Adapt GA tests * Fix RUSTFLAGS to run all tests * Remove containers to free the DB port before running SSL auth tests * Fix CI bad naming * Use docker-compose down to remove also the network * Fix main rebase * Stop trying to stop service using docker-compose, simply use docker cmd * Fix RUSTFLAGS for Postgres * Name the Docker images for MariaDB and MySQL so we can stop them using their name * Add the exception for mysql 5.7 not supporting compatible TLS version with RusTLS * Rebase fixes * Set correctly tls struct (fix merge) * Handle Elliptic Curve variant for private key * Fix tests suite * Fix features in CI * Add tests for Postgres 15 + rebase * Python tests: fix exception for MySQL 5.7 + remove unneeded for loops * CI: run SSL tests only when building with TLS support --------- Co-authored-by: Barry Simons <[email protected]>
…MariaDB (#1850) * use native-tls API * Add client cert and key to MySQL connector * Add client ssl tests for PostgreSQL * Add client ssl tests for MariaDB and MySQL * Adapt GA tests * Fix RUSTFLAGS to run all tests * Remove containers to free the DB port before running SSL auth tests * Fix CI bad naming * Use docker-compose down to remove also the network * Fix main rebase * Stop trying to stop service using docker-compose, simply use docker cmd * Fix RUSTFLAGS for Postgres * Name the Docker images for MariaDB and MySQL so we can stop them using their name * Add the exception for mysql 5.7 not supporting compatible TLS version with RusTLS * Rebase fixes * Set correctly tls struct (fix merge) * Handle Elliptic Curve variant for private key * Fix tests suite * Fix features in CI * Add tests for Postgres 15 + rebase * Python tests: fix exception for MySQL 5.7 + remove unneeded for loops * CI: run SSL tests only when building with TLS support --------- Co-authored-by: Barry Simons <[email protected]>
…MariaDB (launchbadge#1850) * use native-tls API * Add client cert and key to MySQL connector * Add client ssl tests for PostgreSQL * Add client ssl tests for MariaDB and MySQL * Adapt GA tests * Fix RUSTFLAGS to run all tests * Remove containers to free the DB port before running SSL auth tests * Fix CI bad naming * Use docker-compose down to remove also the network * Fix main rebase * Stop trying to stop service using docker-compose, simply use docker cmd * Fix RUSTFLAGS for Postgres * Name the Docker images for MariaDB and MySQL so we can stop them using their name * Add the exception for mysql 5.7 not supporting compatible TLS version with RusTLS * Rebase fixes * Set correctly tls struct (fix merge) * Handle Elliptic Curve variant for private key * Fix tests suite * Fix features in CI * Add tests for Postgres 15 + rebase * Python tests: fix exception for MySQL 5.7 + remove unneeded for loops * CI: run SSL tests only when building with TLS support --------- Co-authored-by: Barry Simons <[email protected]>
Revival of #1166
Fixes #1162
Tests are separated whether client SSL or password is used to authenticate the user.
Database's configuration is changing (to configure database and not provide any password, and thus be more confident in the test),
but if you believe this is too heavy (too long, too many images etc.) let me know, I'll mix the Docker images to use the same,
either we want to connect using SSL or with a password.