Support hostname verification to allow `verify-full` SSL/TLS connections
hessjcg opened this issue · 2 comments
Feature Description
The server certificate's subject CN field in the server certificate will contain the instance name in the form "{project}:{instance}". The python connector should validate that this is correctly set during the TLS handshake. The connector should reject the connection if this the server CN is not set correctly.
See also: GoogleCloudPlatform/cloud-sql-jdbc-socket-factory#1995
This is going to be slightly complex to validate during the TLS handshake.
For pg8000
, pymysql
and pytds
it is probably possible to adjust the ssl.wrap_socket()
to set do_handshake_on_connect
to False, do our verification and then call do_handshake()
. Python ssl.wrap_socket documentation
But for asyncpg
we don't have control over the handshake at all as it is done in the asyncpg code, we just pass it the SSL/TLS context object.
cloud-sql-python-connector/google/cloud/sql/connector/asyncpg.py
Lines 55 to 64 in de2852f