configTLS uses libpq's TLS parameters to construct []*tls.Config. It is necessary to allow returning multiple TLS configs as sslmode "allow" and "prefer" allow fallback.
(settings map[string]string, thisHost string, parseConfigOptions ParseConfigOptions)
| 774 | // necessary to allow returning multiple TLS configs as sslmode "allow" and |
| 775 | // "prefer" allow fallback. |
| 776 | func configTLS(settings map[string]string, thisHost string, parseConfigOptions ParseConfigOptions) ([]*tls.Config, error) { |
| 777 | host := thisHost |
| 778 | sslmode := settings["sslmode"] |
| 779 | sslrootcert := settings["sslrootcert"] |
| 780 | sslcert := settings["sslcert"] |
| 781 | sslkey := settings["sslkey"] |
| 782 | sslpassword := settings["sslpassword"] |
| 783 | sslsni := settings["sslsni"] |
| 784 | sslnegotiation := settings["sslnegotiation"] |
| 785 | |
| 786 | // Match libpq default behavior |
| 787 | if sslmode == "" { |
| 788 | sslmode = "prefer" |
| 789 | } |
| 790 | if sslsni == "" { |
| 791 | sslsni = "1" |
| 792 | } |
| 793 | |
| 794 | tlsConfig := &tls.Config{} |
| 795 | |
| 796 | if sslnegotiation == "direct" { |
| 797 | tlsConfig.NextProtos = []string{"postgresql"} |
| 798 | if sslmode == "prefer" { |
| 799 | sslmode = "require" |
| 800 | } |
| 801 | } |
| 802 | |
| 803 | if sslrootcert != "" { |
| 804 | var caCertPool *x509.CertPool |
| 805 | |
| 806 | if sslrootcert == "system" { |
| 807 | var err error |
| 808 | |
| 809 | caCertPool, err = x509.SystemCertPool() |
| 810 | if err != nil { |
| 811 | return nil, fmt.Errorf("unable to load system certificate pool: %w", err) |
| 812 | } |
| 813 | |
| 814 | sslmode = "verify-full" |
| 815 | } else { |
| 816 | caCertPool = x509.NewCertPool() |
| 817 | |
| 818 | caPath := sslrootcert |
| 819 | caCert, err := os.ReadFile(caPath) |
| 820 | if err != nil { |
| 821 | return nil, fmt.Errorf("unable to read CA file: %w", err) |
| 822 | } |
| 823 | |
| 824 | if !caCertPool.AppendCertsFromPEM(caCert) { |
| 825 | return nil, errors.New("unable to add CA to cert pool") |
| 826 | } |
| 827 | } |
| 828 | |
| 829 | tlsConfig.RootCAs = caCertPool |
| 830 | tlsConfig.ClientCAs = caCertPool |
| 831 | } |
| 832 | |
| 833 | switch sslmode { |
no test coverage detected