streamclient: fix panic in sslinline parsing

stevendanna · stevendanna · commit 39f7da006135 · 2025-10-10T13:54:43.000+01:00
If sslmode=disable, the underlying library returns a nil TLSConfig. Fixes #155224 Release note (bug fix): Fix a bug that would result in a node crash if a PCR or LDR URI used sslinline=true with sslmode=disable.
diff --git a/pkg/crosscluster/streamclient/client_test.go b/pkg/crosscluster/streamclient/client_test.go
@@ -387,6 +387,23 @@ SXy25ZnLdt1xMg==
 		require.NoError(t, err)
 	})
 
+	t.Run("all valid certs but disabled", func(t *testing.T) {
+		query := url.Values{}
+		query.Add(SslInlineURLParam, "true")
+		query.Add(sslCertURLParam, validCert)
+		query.Add(sslKeyURLParam, validKey)
+		query.Add(sslRootCertURLParam, validCert)
+		query.Add(sslModeURLParam, "disable")
+
+		remote := url.URL{
+			Scheme:   "postgresql",
+			Host:     "localhost:26257",
+			RawQuery: query.Encode(),
+		}
+		_, err := setupPGXConfig(remote, options{})
+		require.NoError(t, err)
+	})
+
 	t.Run("invalid cert", func(t *testing.T) {
 		query := url.Values{}
 		query.Add(SslInlineURLParam, "true")
diff --git a/pkg/crosscluster/streamclient/pgconn.go b/pkg/crosscluster/streamclient/pgconn.go
@@ -138,7 +138,7 @@ func uriWithInlineTLSCertsRemoved(remote url.URL) (url.URL, *tlsCerts, error) {
 }
 
 func (c *tlsCerts) addTLSCertsToConfig(tlsConfig *tls.Config) {
-	if c == nil {
+	if c == nil || tlsConfig == nil {
 		return
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -138,7 +138,7 @@ func uriWithInlineTLSCertsRemoved(remote url.URL) (url.URL, *tlsCerts, error) {`
`138`	`138`	`}`
`139`	`139`
`140`	`140`	`func (c tlsCerts) addTLSCertsToConfig(tlsConfig tls.Config) {`
`141`		`- if c == nil {`
	`141`	`+ if c == nil \|\| tlsConfig == nil {`
`142`	`142`	`return`
`143`	`143`	`}`
`144`	`144`