[CalendarServer-dev] SSL connection to DB server gone in 8.0?

Andre LaBranche dre at apple.com
Tue Jun 28 09:16:25 PDT 2016


Hi,

Fixed in http://trac.calendarserver.org/changeset/15710/CalendarServer/trunk <http://trac.calendarserver.org/changeset/15710/CalendarServer/trunk>

Because pg8000 has a separate kwarg to enable SSL, and because Twisted / endpoints don't have to do anything differently for an SSL connection via pg8000 to succeed, I went with a separate 'ssl' option for the DB config dict instead of adding support for a 'tcps' prefix.

Although the pg8000 documentation doesn't state this explicitly, testing shows that enabling this option *requires <http://trac.calendarserver.org/changeset/15714/CalendarServer/trunk>* SSL, and does not merely use SSL if available. The connection will fail if SSL is not available.

-dre

> On Jun 24, 2016, at 3:50 PM, Andre LaBranche <dre at apple.com> wrote:
> 
> Rebuilding PG with openssl support wasn't that hard. Turns out I already had openssl installed via brew, so just needed to define a couple env vars.
> 
>> I tried the most naive thing I could think of,
> 
> ... no it's not that simple. Also because that patch is bunk, as the string slice is off by one, so fails to capture the entire hostname when there is a tcps: prefix.
> 
>> since I believe none of the parameters we pass down to pg8000 are TLS-aware
> 
> Yes, they are. The one called 'ssl' in pg8000/__init__.py which is a bool.
> 
> After some reckless hacking, I got this to work, verified by the fact that my PG server is configured to allow only connections that use SSL. I'll clean this up and do some more testing before committing.
> 
> -dre
> _______________________________________________
> calendarserver-dev mailing list
> calendarserver-dev at lists.macosforge.org
> https://lists.macosforge.org/mailman/listinfo/calendarserver-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.macosforge.org/pipermail/calendarserver-dev/attachments/20160628/8ad7a6e9/attachment.html>


More information about the calendarserver-dev mailing list