Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Headscale can not connect to postgresql with SNI in used. #925

Closed
OrvilleQ opened this issue Nov 3, 2022 · 0 comments
Closed

Headscale can not connect to postgresql with SNI in used. #925

OrvilleQ opened this issue Nov 3, 2022 · 0 comments
Labels
bug Something isn't working

Comments

@OrvilleQ
Copy link
Contributor

OrvilleQ commented Nov 3, 2022

Bug description

Can't get postgresql works with TLS and SNI.

To Reproduce

Try connect to a postgresql database with SNI in used.

Context info

Refs to this document of neon, a hosted postgresql service.

If your application or service uses golang PostgreSQL clients like pgx and lib/pg you can set sslmode=verify-full, which will cause SNI info to be sent. Most likely, this was not intentional but happened inadvertently due to the golang's TLS library API design.

But in headscale, db_ssl is defined as a bool DBssl.

headscale/config.go

Line 543 in ca8bca9

DBssl: viper.GetBool("db_ssl"),

Therefore ssl_mode can only be disabled or require (psql's default), and user won't be able to connect to any hosted postgresql server depend on SNI in TLS.

I suggest we change DBssl to string to fix this issue.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@OrvilleQ