feat: support sslnegotiation flag (#1180)

Author: conradludgate

CHANGELOG.md

@@ -7,7 +7,9 @@ newer. Previously PostgreSQL 8.4 and newer were supported.
 
 ### Features
 
-- Add support for NamedValueChecker interface ([#1125])
+- Add support for NamedValueChecker interface ([#1125]).
+
+- Support [`sslnegotiation`] to use SSL without negotiation ([#1180]).
 
 - The `pq.Error.ErrorWithDetail()` method prints a more detailed multiline
   message, with the Detail, Hint, and error position (if any) ([#1219]):
@@ -55,6 +57,7 @@ newer. Previously PostgreSQL 8.4 and newer were supported.
 
 - Treat nil []byte in query parameters as nil/NULL rather than `""` ([#838]).
 
+[`sslnegotiation`]: https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNECT-SSLNEGOTIATION
 [#595]: https://github.com/lib/pq/pull/595
 [#745]: https://github.com/lib/pq/pull/745
 [#743]: https://github.com/lib/pq/pull/743
@@ -68,6 +71,7 @@ newer. Previously PostgreSQL 8.4 and newer were supported.
 [#1161]: https://github.com/lib/pq/pull/1161
 [#1166]: https://github.com/lib/pq/pull/1166
 [#1179]: https://github.com/lib/pq/pull/1179
+[#1180]: https://github.com/lib/pq/pull/1180
 [#1184]: https://github.com/lib/pq/pull/1184
 [#1211]: https://github.com/lib/pq/pull/1211
 [#1212]: https://github.com/lib/pq/pull/1212

conn.go

@@ -1184,20 +1184,24 @@ func (cn *conn) ssl(o values) error {
 		return nil
 	}
 
-	w := cn.writeBuf(0)
-	w.int32(80877103)
-	if err = cn.sendStartupPacket(w); err != nil {
-		return err
-	}
+	// only negotiate the ssl handshake if requested (which is the default).
+	// sllnegotiation=direct is supported by pg17 and above.
+	if sslnegotiation(o) {
+		w := cn.writeBuf(0)
+		w.int32(80877103)
+		if err = cn.sendStartupPacket(w); err != nil {
+			return err
+		}
 
-	b := cn.scratch[:1]
-	_, err = io.ReadFull(cn.c, b)
-	if err != nil {
-		return err
-	}
+		b := cn.scratch[:1]
+		_, err = io.ReadFull(cn.c, b)
+		if err != nil {
+			return err
+		}
 
-	if b[0] != 'S' {
-		return ErrSSLNotSupported
+		if b[0] != 'S' {
+			return ErrSSLNotSupported
+		}
 	}
 
 	cn.c, err = upgrade(cn.c)

doc.go

@@ -55,6 +55,7 @@ supported:
   - sslkey - Key file location. The file must contain PEM encoded data.
   - sslrootcert - The location of the root certificate file. The file
     must contain PEM encoded data.
+  - sslnegotiation - when set to "direct" it will use SSL without negotiation (PostgreSQL ≥17 only).
 
 Valid values for sslmode are:
 

ssl.go

@@ -211,3 +211,12 @@ func sslVerifyCertificateAuthority(client *tls.Conn, tlsConf *tls.Config) error
 	_, err = certs[0].Verify(opts)
 	return err
 }
+
+// sslnegotiation returns true if we should negotiate SSL.
+// returns false if there should be no negotiation and we should upgrade immediately.
+func sslnegotiation(o values) bool {
+	if v, ok := o["sslnegotiation"]; ok && v == "direct" {
+		return false
+	}
+	return true
+}

ssl_test.go

@@ -324,6 +324,7 @@ func TestSNISupport(t *testing.T) {
 		conn_param   string
 		hostname     string
 		expected_sni string
+		direct       bool
 	}{
 		{
 			name:         "SNI is set by default",
@@ -349,6 +350,19 @@ func TestSNISupport(t *testing.T) {
 			hostname:     "127.0.0.1",
 			expected_sni: "",
 		},
+		{
+			name:         "SNI is set for negotiated ssl",
+			conn_param:   "sslnegotiation=postgres",
+			hostname:     "localhost",
+			expected_sni: "localhost",
+		},
+		{
+			name:         "SNI is set for direct ssl",
+			conn_param:   "sslnegotiation=direct",
+			hostname:     "localhost",
+			expected_sni: "localhost",
+			direct:       true,
+		},
 	}
 	for _, tt := range tests {
 		tt := tt
@@ -362,7 +376,7 @@ func TestSNISupport(t *testing.T) {
 			}
 			serverErrChan := make(chan error, 1)
 			serverSNINameChan := make(chan string, 1)
-			go mockPostgresSSL(listener, serverErrChan, serverSNINameChan)
+			go mockPostgresSSL(listener, tt.direct, serverErrChan, serverSNINameChan)
 
 			defer listener.Close()
 			defer close(serverErrChan)
@@ -397,7 +411,7 @@ func TestSNISupport(t *testing.T) {
 //
 // Accepts postgres StartupMessage and handles TLS clientHello, then closes a connection.
 // While reading clientHello catch passed SNI data and report it to nameChan.
-func mockPostgresSSL(listener net.Listener, errChan chan error, nameChan chan string) {
+func mockPostgresSSL(listener net.Listener, direct bool, errChan chan error, nameChan chan string) {
 	var sniHost string
 
 	conn, err := listener.Accept()
@@ -413,23 +427,25 @@ func mockPostgresSSL(listener net.Listener, errChan chan error, nameChan chan st
 		return
 	}
 
-	// Receive StartupMessage with SSL Request
-	startupMessage := make([]byte, 8)
-	if _, err := io.ReadFull(conn, startupMessage); err != nil {
-		errChan <- err
-		return
-	}
-	// StartupMessage: first four bytes -- total len = 8, last four bytes SslRequestNumber
-	if !bytes.Equal(startupMessage, []byte{0, 0, 0, 0x8, 0x4, 0xd2, 0x16, 0x2f}) {
-		errChan <- fmt.Errorf("unexpected startup message: %#v", startupMessage)
-		return
-	}
+	if !direct {
+		// Receive StartupMessage with SSL Request
+		startupMessage := make([]byte, 8)
+		if _, err := io.ReadFull(conn, startupMessage); err != nil {
+			errChan <- err
+			return
+		}
+		// StartupMessage: first four bytes -- total len = 8, last four bytes SslRequestNumber
+		if !bytes.Equal(startupMessage, []byte{0, 0, 0, 0x8, 0x4, 0xd2, 0x16, 0x2f}) {
+			errChan <- fmt.Errorf("unexpected startup message: %#v", startupMessage)
+			return
+		}
 
-	// Respond with SSLOk
-	_, err = conn.Write([]byte("S"))
-	if err != nil {
-		errChan <- err
-		return
+		// Respond with SSLOk
+		_, err = conn.Write([]byte("S"))
+		if err != nil {
+			errChan <- err
+			return
+		}
 	}
 
 	// Set up TLS context to catch clientHello. It will always error out during handshake