vapor
diff --git a/‎Sources/PostgresNIO/Connection/PostgresConnection.swift‎
Lines changed: 23 additions & 11 deletions b/‎Sources/PostgresNIO/Connection/PostgresConnection.swift‎
Lines changed: 23 additions & 11 deletions
diff --git a/‎Sources/PostgresNIO/New/Connection State Machine/ConnectionStateMachine.swift‎
Lines changed: 30 additions & 9 deletions b/‎Sources/PostgresNIO/New/Connection State Machine/ConnectionStateMachine.swift‎
Lines changed: 30 additions & 9 deletions
diff --git a/‎Sources/PostgresNIO/New/PSQLChannelHandler.swift‎
Lines changed: 29 additions & 2 deletions b/‎Sources/PostgresNIO/New/PSQLChannelHandler.swift‎
Lines changed: 29 additions & 2 deletions
diff --git a/‎Sources/PostgresNIO/New/PSQLConnection.swift‎
Lines changed: 38 additions & 9 deletions b/‎Sources/PostgresNIO/New/PSQLConnection.swift‎
Lines changed: 38 additions & 9 deletions
diff --git a/‎Tests/IntegrationTests/PSQLIntegrationTests.swift‎
Lines changed: 3 additions & 2 deletions b/‎Tests/IntegrationTests/PSQLIntegrationTests.swift‎
Lines changed: 3 additions & 2 deletions
diff --git a/‎Tests/PostgresNIOTests/New/Connection State Machine/AuthenticationStateMachineTests.swift‎
Lines changed: 17 additions & 9 deletions b/‎Tests/PostgresNIOTests/New/Connection State Machine/AuthenticationStateMachineTests.swift‎
Lines changed: 17 additions & 9 deletions
@@ -54,17 +54,29 @@ extension PostgresConnection {
         logger: Logger = .init(label: "codes.vapor.postgres"),
         on eventLoop: EventLoop
     ) -> EventLoopFuture<PostgresConnection> {
-        let configuration = PSQLConnection.Configuration(
-            connection: .resolved(address: socketAddress, serverName: serverHostname),
-            authentication: nil,
-            tlsConfiguration: tlsConfiguration
-        )
-
-        return PSQLConnection.connect(
-            configuration: configuration,
-            logger: logger,
-            on: eventLoop
-        ).map { connection in
+        var tlsFuture: EventLoopFuture<PSQLConnection.Configuration.TLS>
+
+        if let tlsConfiguration = tlsConfiguration {
+            tlsFuture = eventLoop.makeSucceededVoidFuture().flatMapBlocking(onto: .global(qos: .default)) {
+                try PSQLConnection.Configuration.TLS.require(.init(configuration: tlsConfiguration))
+            }
+        } else {
+            tlsFuture = eventLoop.makeSucceededFuture(.disable)
+        }
+
+        return tlsFuture.flatMap { tls in
+            let configuration = PSQLConnection.Configuration(
+                connection: .resolved(address: socketAddress, serverName: serverHostname),
+                authentication: nil,
+                tls: tls
+            )
+
+            return PSQLConnection.connect(
+                configuration: configuration,
+                logger: logger,
+                on: eventLoop
+            )
+        }.map { connection in
             PostgresConnection(underlying: connection, logger: logger)
         }.flatMapErrorThrowing { error in
             throw error.asAppropriatePostgresError
 
@@ -18,8 +18,13 @@ struct ConnectionStateMachine {
     }
 
     enum State {
+        enum TLSConfiguration {
+            case prefer
+            case require
+        }
+
         case initialized
-        case sslRequestSent
+        case sslRequestSent(TLSConfiguration)
         case sslNegotiated
         case sslHandlerAdded
         case waitingToStartAuthentication
@@ -114,26 +119,38 @@ struct ConnectionStateMachine {
     init() {
         self.state = .initialized
     }
-    
+
     #if DEBUG
     /// for testing purposes only
     init(_ state: State) {
         self.state = state
     }
     #endif
+
+    enum TLSConfiguration {
+        case disable
+        case prefer
+        case require
+    }
 
-    mutating func connected(requireTLS: Bool) -> ConnectionAction {
+    mutating func connected(tls: TLSConfiguration) -> ConnectionAction {
         guard case .initialized = self.state else {
             preconditionFailure("Unexpected state")
         }
 
-        if requireTLS {
-            self.state = .sslRequestSent
+        switch tls {
+        case .disable:
+            self.state = .waitingToStartAuthentication
+            return .provideAuthenticationContext
+
+        case .prefer:
+            self.state = .sslRequestSent(.prefer)
+            return .sendSSLRequest
+
+        case .require:
+            self.state = .sslRequestSent(.require)
             return .sendSSLRequest
         }
-            
-        self.state = .waitingToStartAuthentication
-        return .provideAuthenticationContext
     }
 
     mutating func provideAuthenticationContext(_ authContext: AuthContext) -> ConnectionAction {
@@ -223,8 +240,12 @@ struct ConnectionStateMachine {
 
     mutating func sslUnsupportedReceived() -> ConnectionAction {
         switch self.state {
-        case .sslRequestSent:
+        case .sslRequestSent(.require):
             return self.closeConnectionAndCleanup(.sslUnsupported)
+
+        case .sslRequestSent(.prefer):
+            self.state = .waitingToStartAuthentication
+            return .provideAuthenticationContext
 
         case .initialized,
              .sslNegotiated,
 
@@ -57,7 +57,7 @@ final class PSQLChannelHandler: ChannelDuplexHandler {
         self.decoder = NIOSingleStepByteToMessageProcessor(PSQLBackendMessageDecoder())
     }
     #endif
-    
+
     // MARK: Handler lifecycle
 
     func handlerAdded(context: ChannelHandlerContext) {
@@ -331,7 +331,8 @@ final class PSQLChannelHandler: ChannelDuplexHandler {
     // MARK: - Private Methods -
 
     private func connected(context: ChannelHandlerContext) {
-        let action = self.state.connected(requireTLS: self.configureSSLCallback != nil)
+
+        let action = self.state.connected(tls: .init(self.configuration.tls))
 
         self.run(action, with: context)
     }
@@ -572,3 +573,29 @@ private extension Insecure.MD5.Digest {
         return String(decoding: result, as: Unicode.UTF8.self)
     }
 }
+
+extension ConnectionStateMachine.TLSConfiguration {
+    fileprivate init(_ connection: PSQLConnection.Configuration.TLS) {
+        switch connection.base {
+        case .disable:
+            self = .disable
+        case .require:
+            self = .require
+        case .prefer:
+            self = .prefer
+        }
+    }
+}
+
+extension PSQLChannelHandler {
+    convenience init(
+        configuration: PSQLConnection.Configuration,
+        configureSSLCallback: ((Channel) throws -> Void)?)
+    {
+        self.init(
+            configuration: configuration,
+            logger: .psqlNoOpLogger,
+            configureSSLCallback: configureSSLCallback
+        )
+    }
+}
@@ -23,6 +23,30 @@ final class PSQLConnection {
                 self.password = password
             }
         }
+
+        struct TLS {
+            enum Base {
+                case disable
+                case prefer(NIOSSLContext)
+                case require(NIOSSLContext)
+            }
+
+            var base: Base
+
+            private init(_ base: Base) {
+                self.base = base
+            }
+
+            static var disable: Self = Self.init(.disable)
+
+            static func prefer(_ sslContext: NIOSSLContext) -> Self {
+                self.init(.prefer(sslContext))
+            }
+
+            static func require(_ sslContext: NIOSSLContext) -> Self {
+                self.init(.require(sslContext))
+            }
+        }
 
         enum Connection {
             case unresolved(host: String, port: Int)
@@ -34,27 +58,27 @@ final class PSQLConnection {
         /// The authentication properties to send to the Postgres server during startup auth handshake
         var authentication: Authentication?
 
-        var tlsConfiguration: TLSConfiguration?
+        var tls: TLS
 
         init(host: String,
              port: Int = 5432,
              username: String,
              database: String? = nil,
              password: String? = nil,
-             tlsConfiguration: TLSConfiguration? = nil
+             tls: TLS = .disable
         ) {
             self.connection = .unresolved(host: host, port: port)
             self.authentication = Authentication(username: username, password: password, database: database)
-            self.tlsConfiguration = tlsConfiguration
+            self.tls = tls
         }
 
         init(connection: Connection,
              authentication: Authentication?,
-             tlsConfiguration: TLSConfiguration?
+             tls: TLS
         ) {
             self.connection = connection
             self.authentication = authentication
-            self.tlsConfiguration = tlsConfiguration
+            self.tls = tls
         }
     }
 
@@ -185,14 +209,19 @@ final class PSQLConnection {
                 let bootstrap = ClientBootstrap(group: eventLoop)
                     .channelInitializer { channel in
                         var configureSSLCallback: ((Channel) throws -> ())? = nil
-                        if let tlsConfiguration = configuration.tlsConfiguration {
+
+                        switch configuration.tls.base {
+                        case .disable:
+                            break
+
+                        case .prefer(let sslContext), .require(let sslContext):
                             configureSSLCallback = { channel in
                                 channel.eventLoop.assertInEventLoop()
-                                
-                                let sslContext = try NIOSSLContext(configuration: tlsConfiguration)
+
                                 let sslHandler = try NIOSSLClientHandler(
                                     context: sslContext,
-                                    serverHostname: configuration.sslServerHostname)
+                                    serverHostname: configuration.sslServerHostname
+                                )
                                 try channel.pipeline.syncOperations.addHandler(sslHandler, position: .first)
                             }
                         }
 
@@ -28,7 +28,7 @@ final class IntegrationTests: XCTestCase {
             username: env("POSTGRES_USER") ?? "test_username",
             database: env("POSTGRES_DB") ?? "test_database",
             password: "wrong_password",
-            tlsConfiguration: nil)
+            tls: .disable)
 
         let eventLoopGroup = MultiThreadedEventLoopGroup(numberOfThreads: 1)
         defer { XCTAssertNoThrow(try eventLoopGroup.syncShutdownGracefully()) }
@@ -358,7 +358,8 @@ extension PSQLConnection {
             username: env("POSTGRES_USER") ?? "test_username",
             database: env("POSTGRES_DB") ?? "test_database",
             password: env("POSTGRES_PASSWORD") ?? "test_password",
-            tlsConfiguration: nil)
+            tls: .disable
+        )
 
         return PSQLConnection.connect(configuration: config, logger: logger, on: eventLoop)
     }
 
@@ -6,7 +6,9 @@ class AuthenticationStateMachineTests: XCTestCase {
 
     func testAuthenticatePlaintext() {
         let authContext = AuthContext(username: "test", password: "abc123", database: "test")
-        var state = ConnectionStateMachine(.waitingToStartAuthentication)
+
+        var state = ConnectionStateMachine()
+        XCTAssertEqual(state.connected(tls: .disable), .provideAuthenticationContext)
 
         XCTAssertEqual(state.provideAuthenticationContext(authContext), .sendStartupMessage(authContext))
         XCTAssertEqual(state.authenticationMessageReceived(.plaintext), .sendPasswordMessage(.cleartext, authContext))
@@ -15,7 +17,8 @@ class AuthenticationStateMachineTests: XCTestCase {
 
     func testAuthenticateMD5() {
         let authContext = AuthContext(username: "test", password: "abc123", database: "test")
-        var state = ConnectionStateMachine(.waitingToStartAuthentication)
+        var state = ConnectionStateMachine()
+        XCTAssertEqual(state.connected(tls: .disable), .provideAuthenticationContext)
         let salt: (UInt8, UInt8, UInt8, UInt8) = (0, 1, 2, 3)
 
         XCTAssertEqual(state.provideAuthenticationContext(authContext), .sendStartupMessage(authContext))
@@ -25,7 +28,8 @@ class AuthenticationStateMachineTests: XCTestCase {
 
     func testAuthenticateMD5WithoutPassword() {
         let authContext = AuthContext(username: "test", password: nil, database: "test")
-        var state = ConnectionStateMachine(.waitingToStartAuthentication)
+        var state = ConnectionStateMachine()
+        XCTAssertEqual(state.connected(tls: .disable), .provideAuthenticationContext)
         let salt: (UInt8, UInt8, UInt8, UInt8) = (0, 1, 2, 3)
 
         XCTAssertEqual(state.provideAuthenticationContext(authContext), .sendStartupMessage(authContext))
@@ -35,15 +39,16 @@ class AuthenticationStateMachineTests: XCTestCase {
 
     func testAuthenticateOkAfterStartUpWithoutAuthChallenge() {
         let authContext = AuthContext(username: "test", password: "abc123", database: "test")
-        var state = ConnectionStateMachine(.waitingToStartAuthentication)
-        
+        var state = ConnectionStateMachine()
+        XCTAssertEqual(state.connected(tls: .disable), .provideAuthenticationContext)
         XCTAssertEqual(state.provideAuthenticationContext(authContext), .sendStartupMessage(authContext))
         XCTAssertEqual(state.authenticationMessageReceived(.ok), .wait)
     }
 
     func testAuthenticationFailure() {
         let authContext = AuthContext(username: "test", password: "abc123", database: "test")
-        var state = ConnectionStateMachine(.waitingToStartAuthentication)
+        var state = ConnectionStateMachine()
+        XCTAssertEqual(state.connected(tls: .disable), .provideAuthenticationContext)
         let salt: (UInt8, UInt8, UInt8, UInt8) = (0, 1, 2, 3)
 
         XCTAssertEqual(state.provideAuthenticationContext(authContext), .sendStartupMessage(authContext))
@@ -74,7 +79,8 @@ class AuthenticationStateMachineTests: XCTestCase {
 
         for (message, mechanism) in unsupported {
             let authContext = AuthContext(username: "test", password: "abc123", database: "test")
-            var state = ConnectionStateMachine(.waitingToStartAuthentication)
+            var state = ConnectionStateMachine()
+            XCTAssertEqual(state.connected(tls: .disable), .provideAuthenticationContext)
             XCTAssertEqual(state.provideAuthenticationContext(authContext), .sendStartupMessage(authContext))
             XCTAssertEqual(state.authenticationMessageReceived(message),
                            .closeConnectionAndCleanup(.init(action: .close, tasks: [], error: .unsupportedAuthMechanism(mechanism), closePromise: nil)))
@@ -92,7 +98,8 @@ class AuthenticationStateMachineTests: XCTestCase {
 
         for message in unexpected {
             let authContext = AuthContext(username: "test", password: "abc123", database: "test")
-            var state = ConnectionStateMachine(.waitingToStartAuthentication)
+            var state = ConnectionStateMachine()
+            XCTAssertEqual(state.connected(tls: .disable), .provideAuthenticationContext)
             XCTAssertEqual(state.provideAuthenticationContext(authContext), .sendStartupMessage(authContext))
             XCTAssertEqual(state.authenticationMessageReceived(message),
                            .closeConnectionAndCleanup(.init(action: .close, tasks: [], error: .unexpectedBackendMessage(.authentication(message)), closePromise: nil)))
@@ -118,7 +125,8 @@ class AuthenticationStateMachineTests: XCTestCase {
 
         for message in unexpected {
             let authContext = AuthContext(username: "test", password: "abc123", database: "test")
-            var state = ConnectionStateMachine(.waitingToStartAuthentication)
+            var state = ConnectionStateMachine()
+            XCTAssertEqual(state.connected(tls: .disable), .provideAuthenticationContext)
             XCTAssertEqual(state.provideAuthenticationContext(authContext), .sendStartupMessage(authContext))
             XCTAssertEqual(state.authenticationMessageReceived(.md5(salt: salt)), .sendPasswordMessage(.md5(salt: salt), authContext))
             XCTAssertEqual(state.authenticationMessageReceived(message),