codewinsdotcom/PostgresClientKit

How to configure TLS certs in client app

ebsanford opened this issue · 7 comments

My app can access our non-TLS, development PostgreSQL instance. But when attempting to test against a production environment, I am forced to use TLS access. So far, I've been unsuccessful in locating an example on how to configure my client cert and key .pem files. I have the correct .pem files, but I'm missing how to specify these files in the 'ConnectionConfiguration()'.

A brief example would be greatly appreciated.

Are you authenticating the server, client, or both? If the server, then the server must have a chain of trust back to a root-CA that's available on the machine. I would like to add self-signed server certificate support (see #17). If you are trying to do client authentication, that's supported by the underlying BlueSSLService but not supported in this library I believe.

I'm guessing the client, as the server is a Google SQL Cloud instance with TLS-only connections allowed. I have generated the certs via the Google dashboard, and downloaded the 'client' .pem file and the 'key' .pem file to the client machine.

I used these certs to configure Postico (a GUI utility) on the client, and it can now access the cloud server using TLS. I need some way to configure these file with PostgresClientKit.

The 'ConnectionConfiguration' class has a .ssl property, but it's only true/false, with no other documented way of specifying there certs.

Here's my understanding of the current situation: If the .ssl property of ConnectionConfiguration is true, then PostgresClientKit attempts to create a TLS connection to the Postgres server. It will not authenticate the server certificate (so the connection will be encrypted, but there is the potential for a MITM attack as pointed out in #17, for example if DNS resolution were compromised). It will also accept a self-signed server certificate. And it will not send a client certificate (which would allow the server to authenticate, at the TLS level, the client).

From what you wrote, it sounds like your server requires authentication by a client certificate. That would be why PostgresClientKit can't connect.

Does your scenario require client authentication at the TLS level? (To be clear, this is distinct from Postgres user authentication, for example by Credential.cleartextPassword in PostgresClientKit.)

If not, you could change your server's configuration to not require an incoming connection to provide a client certificate. With that change, PostgresClientKit should create a TLS connection.

But, if your scenario does require TLS client authentication, please look at my comment on #17. This enhancement would allow the consumer of the PostClientKit library to have more control over SSL configuration.

Thanks for the responses. It's valuable information to know. My interim solution has been to download Google's Cloud SQL Proxy daemon. This little guy runs from the command line or launchd, and connects over TLS to the cloud instance. It then allows local apps to connect via 127.0.0.1:5432. This solves lots of issues, but puts more things to break between the app and the instance. However, no complaints so far, and every local app connects transparently without issue.

v1.1.0 adds an sslServiceConfiguration property to ConnectionConfiguration, which allows you to set the client certificate to be used. Please refer to the BlueSSLService documentation for information on how to do this. (BlueSSLService is the SSL library used by PostgresClientKit.)

Thanks for the update! I'll give v1.1.0 a try. Hopefully that will cure my issue.

If you want to reopen this issue, please let me know.