Rocket icon indicating copy to clipboard operation
Rocket copied to clipboard
verified publisher icon rwf2

sslmode=required not working for rocket_db_pool with feature diesel_postgres

Open xscoops opened this issue 1 year ago • 2 comments

What's missing?

I would like to use rocket_db_pool with feature diesel_postgres with sslmode=require in the connection url. Unfortunately I get the following error message:

   >> Matched: (a) GET /a
   >> Request guard `Connection < Db >` failed: Some(Get(Backend(ConnectionError(CouldntSetupConfiguration(DatabaseError(UnableToSendCommand, "error performing TLS handshake: no TLS implementation configured")))))).
   >> Outcome: Error(503 Service Unavailable)
   >> No 503 catcher registered. Using Rocket default.
   >> Response succeeded.

I have seen the following message on the diesel-async repo but I have no idea how to integrate the example with my Rocket application:

In the event of using this crate with a sslmode=require flag, it will be necessary to build a TLS cert. There is an example provided for doing this using the rustls crate in the postgres examples folder.

Any help would be greatly appreciated

Ideal Solution

No response

Why can't this be implemented outside of Rocket?

I believe Rocket should have support for secure database built in

Are there workarounds usable today?

There is a diesel-async workaround is described here: https://github.com/weiznich/diesel_async/blob/main/examples/postgres/pooled-with-rustls/src/main.rs

Alternative Solutions

No response

Additional Context

No response

System Checks

  • [X] I do not believe that this feature can or should be implemented outside of Rocket.
  • [X] I was unable to find a previous request for this feature.

xscoops avatar Jul 07 '24 01:07 xscoops

The issue is likely that the underlying tokio_postrgess implementation is refusing the connection, since it doesn't trust the tls certificate provided by the database. To fix this, you need to either use unencrypted communication, or add the certificate to the list of trusted certificates. The workaround works by creating a custom tls config, with the added trusted cert, but you might also be able to add the cert to the OS's list of trusted certs.

In many cases, encrypting the connection to the database isn't needed, since the database is (due to the network structure) inaccessible from anywhere except the application server.

the10thWiz avatar Jul 08 '24 00:07 the10thWiz

The issue seems to be that rocket is hardcoding no TLS implementation.

https://github.com/rwf2/Rocket/blob/f9de1bf4671100b2f9c9bea6ce206fc4748ca999/contrib/db_pools/lib/src/pool.rs#L170

It seems the sqlx implementation is configured to use runtime-tokio-rustls feature. It would not be too much effort to introduce tokio-postgres-rustls as a dependency and provide that instead of NoTls.

conradludgate avatar Jul 01 '25 17:07 conradludgate