Skip to content

Respect sslmode option #197

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
amotl opened this issue Jan 21, 2025 · 4 comments · May be fixed by #202
Open

Respect sslmode option #197

amotl opened this issue Jan 21, 2025 · 4 comments · May be fixed by #202
Assignees
@amotl
Labels
enhancement New feature or request pgcompat PostgreSQL compatibility and other details about standards-compliance

Comments

@amotl
Copy link
Member

amotl commented Jan 21, 2025
edited
Loading

Status quo

PostgreSQL uses the sslmode client parameter to configure SSL connectivity options across the board, see 32.19.3. Protection Provided in Different Modes. CrateDB's SQLAlchemy dialect currently only uses the ssl=true query parameter.

Proposal

Make it so that the CrateDB SQLAlchemy dialect is more standards-oriented, and will also accept the sslmode option, when applicable. Most prominently, @WalBeh asked for sslmode=require, in order to strictly use SSL, but to turn off host name validation.

This is needed to connect to https://localhost:4200/ successfully, which is apparent in K8s or other operational scenarios.
@amotl amotl added the pgcompat PostgreSQL compatibility and other details about standards-compliance label Jan 21, 2025
@amotl
Copy link
Member Author

amotl commented Feb 13, 2025

@WalBeh has a strong need for this, and he just renewed his interest in having it implemented. Thanks!

@amotl amotl self-assigned this Feb 13, 2025
@amotl amotl added the enhancement New feature or request label Feb 13, 2025
@amotl
Copy link
Member Author

amotl commented Feb 15, 2025

crash uses the verify_ssl_cert option to crate.connect() like observed here. Thanks, @WalBeh.

@amotl
Copy link
Member Author

amotl commented Feb 16, 2025
edited
Loading

crate-pdo includes an example setup using Docker/Podman Compose, for running CrateDB with SSL enabled.

Using crash, you can connect using the --verify-ssl=no option.

crash --host https://localhost:4200 --verify-ssl=no --command "SELECT 42;"

This was referenced Feb 16, 2025
Merged
Open
@amotl
Copy link
Member Author

amotl commented Feb 16, 2025
edited
Loading

This patch implements the requested sslmode=prefer parameter.

Outlook: Let us target switching to SSL by default paired with a 1.0.0 release?

/cc @matriv, @seut

@amotl amotl mentioned this issue Feb 25, 2025
Open
3 tasks
@kneth kneth linked a pull request Mar 27, 2025 that will close this issue
Add canonical PostgreSQL client parameter sslmode #202
Open
This was referenced Apr 15, 2025
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@amotl amotl

Labels
enhancement New feature or request pgcompat PostgreSQL compatibility and other details about standards-compliance
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add canonical PostgreSQL client parameter sslmode crate/sqlalchemy-cratedb
1 participant
@amotl