config: add sslmode verify-ca and verify-full

When a connection is established, the added modes are treated in the
same way as the existing `require` mode as they both require a TLS
connection.

Author: uce

postgres/src/config.rs

@@ -34,7 +34,8 @@ use tokio_postgres::{Error, Socket};
 /// * `options` - Command line options used to configure the server.
 /// * `application_name` - Sets the `application_name` parameter on the server.
 /// * `sslmode` - Controls usage of TLS. If set to `disable`, TLS will not be used. If set to `prefer`, TLS will be used
-///     if available, but not used otherwise. If set to `require`, TLS will be forced to be used. Defaults to `prefer`.
+///     if available, but not used otherwise. If set to `require`, `verify-ca`, or `verify-full`, TLS will be forced to
+///     be used. Defaults to `prefer`.
 /// * `host` - The host to connect to. On Unix platforms, if the host starts with a `/` character it is treated as the
 ///     path to the directory containing Unix domain sockets. Otherwise, it is treated as a hostname. Multiple hosts
 ///     can be specified, separated by commas. Each host will be tried in turn when connecting. Required if connecting

tokio-postgres/src/config.rs

@@ -42,6 +42,10 @@ pub enum SslMode {
     Prefer,
     /// Require the use of TLS.
     Require,
+    /// Require the use of TLS.
+    VerifyCa,
+    /// Require the use of TLS.
+    VerifyFull,
 }
 
 /// Channel binding configuration.
@@ -95,7 +99,8 @@ pub enum Host {
 /// * `options` - Command line options used to configure the server.
 /// * `application_name` - Sets the `application_name` parameter on the server.
 /// * `sslmode` - Controls usage of TLS. If set to `disable`, TLS will not be used. If set to `prefer`, TLS will be used
-///     if available, but not used otherwise. If set to `require`, TLS will be forced to be used. Defaults to `prefer`.
+///     if available, but not used otherwise. If set to `require`, `verify-ca`, or `verify-full`, TLS will be forced to
+///     be used. Defaults to `prefer`.
 /// * `host` - The host to connect to. On Unix platforms, if the host starts with a `/` character it is treated as the
 ///     path to the directory containing Unix domain sockets. Otherwise, it is treated as a hostname. Multiple hosts
 ///     can be specified, separated by commas. Each host will be tried in turn when connecting. Required if connecting
@@ -432,6 +437,8 @@ impl Config {
                     "disable" => SslMode::Disable,
                     "prefer" => SslMode::Prefer,
                     "require" => SslMode::Require,
+                    "verify-ca" => SslMode::VerifyCa,
+                    "verify-full" => SslMode::VerifyFull,
                     _ => return Err(Error::config_parse(Box::new(InvalidValue("sslmode")))),
                 };
                 self.ssl_mode(mode);

tokio-postgres/src/connect_tls.rs

@@ -21,7 +21,7 @@ where
         SslMode::Prefer if !tls.can_connect(ForcePrivateApi) => {
             return Ok(MaybeTlsStream::Raw(stream))
         }
-        SslMode::Prefer | SslMode::Require => {}
+        SslMode::Prefer | SslMode::Require | SslMode::VerifyCa | SslMode::VerifyFull => {}
     }
 
     let mut buf = BytesMut::new();
@@ -32,10 +32,11 @@ where
     stream.read_exact(&mut buf).await.map_err(Error::io)?;
 
     if buf[0] != b'S' {
-        if SslMode::Require == mode {
-            return Err(Error::tls("server does not support TLS".into()));
-        } else {
-            return Ok(MaybeTlsStream::Raw(stream));
+        match mode {
+            SslMode::Require | SslMode::VerifyCa | SslMode::VerifyFull => {
+                return Err(Error::tls("server does not support TLS".into()))
+            }
+            SslMode::Disable | SslMode::Prefer => return Ok(MaybeTlsStream::Raw(stream)),
         }
     }