Because pg8000 has a separate kwarg to enable SSL, and because Twisted / endpoints don't have to do anything differently for an SSL connection via pg8000 to succeed, I went with a separate 'ssl' option for the DB config dict instead of adding support for a 'tcps' prefix.

Although the pg8000 documentation doesn't state this explicitly, testing shows that enabling this option *requires* SSL, and does not merely use SSL if available. The connection will fail if SSL is not available.

On Jun 24, 2016, at 3:50 PM, Andre LaBranche <dre@apple.com> wrote:

Rebuilding PG with openssl support wasn't that hard. Turns out I already had openssl installed via brew, so just needed to define a couple env vars.

I tried the most naive thing I could think of,

... no it's not that simple. Also because that patch is bunk, as the string slice is off by one, so fails to capture the entire hostname when there is a tcps: prefix.

since I believe none of the parameters we pass down to pg8000 are TLS-aware

Yes, they are. The one called 'ssl' in pg8000/__init__.py which is a bool.

After some reckless hacking, I got this to work, verified by the fact that my PG server is configured to allow only connections that use SSL. I'll clean this up and do some more testing before committing.

-dre
_______________________________________________
calendarserver-dev mailing list
calendarserver-dev@lists.macosforge.org
https://lists.macosforge.org/mailman/listinfo/calendarserver-dev