cfssl icon indicating copy to clipboard operation
cfssl copied to clipboard

Published 20 hours ago verified publisher icon cloudflare

PostgreSQL sslmode enabled

Open micheelengronne opened this issue 5 years ago • 3 comments

CFSSL used as a CA can have a PostgreSQL backend.

There is no example using the sslmode functionality of PostgreSQL. As it is the backend of the CA it should be the perfect place to use it.

Does it work ? Should it be implemented ?

micheelengronne avatar Nov 22 '19 15:11 micheelengronne

It failed for me, then this worked

    {
    	"driver": "postgres",
    	"data_source": "postgres://${username}:${password}@${host}/${database}?sslmode=disable"
    }

Roydon avatar Apr 14 '20 20:04 Roydon

But that's exactly what I do not want. I want to enable ssl.

micheelengronne avatar Apr 15 '20 08:04 micheelengronne

@micheelengronne

In the above example, if you use instead of

	"data_source": "postgres://${username}:${password}@${host}/${database}?sslmode=disable"

something like

	"data_source": "postgres://${username}:${password}@${host}/${database}?sslmode=verify-full&sslrootcert=<path to cert>"

this should just work. CFSSL just calls the lib/pq library underneath with the connection string supplied.

The verify-full config option is one way to do this, there are other options to full/partial SSL verification, and you can refer to the Postgres documentation for this.

krish7919 avatar Jun 06 '22 14:06 krish7919