Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

sslmode=required not working for rocket_db_pool with feature diesel_postgres #2820

Open
2 tasks done
xscoops opened this issue Jul 7, 2024 · 1 comment
Open
2 tasks done

sslmode=required not working for rocket_db_pool with feature diesel_postgres #2820

xscoops opened this issue Jul 7, 2024 · 1 comment
Labels
request Request for new functionality

Comments

@xscoops
Copy link

xscoops commented Jul 7, 2024

What's missing?

I would like to use rocket_db_pool with feature diesel_postgres with sslmode=require in the connection url. Unfortunately I get the following error message:

   >> Matched: (a) GET /a
   >> Request guard `Connection < Db >` failed: Some(Get(Backend(ConnectionError(CouldntSetupConfiguration(DatabaseError(UnableToSendCommand, "error performing TLS handshake: no TLS implementation configured")))))).
   >> Outcome: Error(503 Service Unavailable)
   >> No 503 catcher registered. Using Rocket default.
   >> Response succeeded.

I have seen the following message on the diesel-async repo but I have no idea how to integrate the example with my Rocket application:

In the event of using this crate with a sslmode=require flag, it will be necessary to build a TLS cert. There is an example provided for doing this using the rustls crate in the postgres examples folder.

Any help would be greatly appreciated

Ideal Solution

No response

Why can't this be implemented outside of Rocket?

I believe Rocket should have support for secure database built in

Are there workarounds usable today?

There is a diesel-async workaround is described here: https://github.com/weiznich/diesel_async/blob/main/examples/postgres/pooled-with-rustls/src/main.rs

Alternative Solutions

No response

Additional Context

No response

System Checks

  • I do not believe that this feature can or should be implemented outside of Rocket.
  • I was unable to find a previous request for this feature.
@xscoops xscoops added the request Request for new functionality label Jul 7, 2024
@the10thWiz
Copy link
Collaborator

The issue is likely that the underlying tokio_postrgess implementation is refusing the connection, since it doesn't trust the tls certificate provided by the database. To fix this, you need to either use unencrypted communication, or add the certificate to the list of trusted certificates. The workaround works by creating a custom tls config, with the added trusted cert, but you might also be able to add the cert to the OS's list of trusted certs.

In many cases, encrypting the connection to the database isn't needed, since the database is (due to the network structure) inaccessible from anywhere except the application server.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
request Request for new functionality
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@the10thWiz @xscoops