MCPcopy
hub / github.com/jackc/pgx / configTLS

Function configTLS

pgconn/config.go:776–965  ·  view source on GitHub ↗

configTLS uses libpq's TLS parameters to construct []*tls.Config. It is necessary to allow returning multiple TLS configs as sslmode "allow" and "prefer" allow fallback.

(settings map[string]string, thisHost string, parseConfigOptions ParseConfigOptions)

Source from the content-addressed store, hash-verified

774// necessary to allow returning multiple TLS configs as sslmode "allow" and
775// "prefer" allow fallback.
776func configTLS(settings map[string]string, thisHost string, parseConfigOptions ParseConfigOptions) ([]*tls.Config, error) {
777 host := thisHost
778 sslmode := settings["sslmode"]
779 sslrootcert := settings["sslrootcert"]
780 sslcert := settings["sslcert"]
781 sslkey := settings["sslkey"]
782 sslpassword := settings["sslpassword"]
783 sslsni := settings["sslsni"]
784 sslnegotiation := settings["sslnegotiation"]
785
786 // Match libpq default behavior
787 if sslmode == "" {
788 sslmode = "prefer"
789 }
790 if sslsni == "" {
791 sslsni = "1"
792 }
793
794 tlsConfig := &tls.Config{}
795
796 if sslnegotiation == "direct" {
797 tlsConfig.NextProtos = []string{"postgresql"}
798 if sslmode == "prefer" {
799 sslmode = "require"
800 }
801 }
802
803 if sslrootcert != "" {
804 var caCertPool *x509.CertPool
805
806 if sslrootcert == "system" {
807 var err error
808
809 caCertPool, err = x509.SystemCertPool()
810 if err != nil {
811 return nil, fmt.Errorf("unable to load system certificate pool: %w", err)
812 }
813
814 sslmode = "verify-full"
815 } else {
816 caCertPool = x509.NewCertPool()
817
818 caPath := sslrootcert
819 caCert, err := os.ReadFile(caPath)
820 if err != nil {
821 return nil, fmt.Errorf("unable to read CA file: %w", err)
822 }
823
824 if !caCertPool.AppendCertsFromPEM(caCert) {
825 return nil, errors.New("unable to add CA to cert pool")
826 }
827 }
828
829 tlsConfig.RootCAs = caCertPool
830 tlsConfig.ClientCAs = caCertPool
831 }
832
833 switch sslmode {

Callers 1

ParseConfigWithOptionsFunction · 0.85

Calls 2

DecodeMethod · 0.65
ErrorMethod · 0.45

Tested by

no test coverage detected