Skip to content

NoHostnameTlsVerifier does not work with rustls v0.23.24 or later #3793

New issue
New issue
Open
#3861
Open
NoHostnameTlsVerifier does not work with rustls v0.23.24 or later#3793
#3861
Labels
bug
@philipahlberg

Description

@philipahlberg
philipahlberg
opened on Mar 18, 2025

I have found these related issues/pull requests

N/A

Description

rustls v0.23.24 (release notes here) introduces, among other things, a new variant NotValidForNameContext to the CertificateError enum. As a result, the explicit handling of the variant NotValidForName is no longer sufficient to avoid TLS verification errors relating to a mismatch between the remote hostname and what is specified in the certificate:

sqlx/sqlx-core/src/net/tls/tls_rustls.rs

Line 309 in e474be6

Err(TlsError::InvalidCertificate(CertificateError::NotValidForName)) => {

This enum is marked as #[non_exhaustive], which is presumably why this changed is considered a non-breaking change. Nonetheless, this breaks connections that rely on NoHostnameTlsVerifier.

Reproduction steps

  1. Create a new project using sqlx with the runtime-tokio-rustls feature.
  2. Set up a database with TLS enabled. Ensure the database specifies a DNS name in its certificate.
  3. Connect to the database via its IP address.

The above steps should result in an error.

SQLx version

0.8.3

Enabled SQLx features

runtime-tokio-rustls, postgres, macros, migrate, time, rust_decimal

Database server and version

Postgres 15.2

Operating system

Debian-based

Rust version

1.85

Metadata

Metadata

Assignees

No one assigned

    Labels

    bug

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions