From e18c4a7b40f173303698e7b507c0783ddc57c4bd Mon Sep 17 00:00:00 2001
From: Yuri Astrakhan <YuriAstrakhan@gmail.com>
Date: Sat, 4 Feb 2023 14:19:30 -0500
Subject: [PATCH] Add sslmode `verify-ca` and `verify-full` (take 2)

Implement additional support for postgres ssl_mode parsing.
The new modes will still result in a TLS error, but this approach
allows users to handle additional cert validation modes before
calling connect_tls()
---
 tokio-postgres/src/config.rs      | 8 ++++++++
 tokio-postgres/src/connect_tls.rs | 5 +++++
 2 files changed, 13 insertions(+)

diff --git a/tokio-postgres/src/config.rs b/tokio-postgres/src/config.rs
index 5b364ec06..f29aebbc4 100644
--- a/tokio-postgres/src/config.rs
+++ b/tokio-postgres/src/config.rs
@@ -43,6 +43,12 @@ pub enum SslMode {
     Prefer,
     /// Require the use of TLS.
     Require,
+    /// Require the use of TLS. Verify peer cert without hostname verification.
+    /// The user of this lib must handle TLS verification and set ssl mode to Require before calling `connect_tls`.
+    VerifyCa,
+    /// Require the use of TLS. Verify peer cert and hostname.
+    /// The user of this lib must handle TLS verification and set ssl mode to Require before calling `connect_tls`.
+    VerifyFull,
 }
 
 /// Channel binding configuration.
@@ -446,6 +452,8 @@ impl Config {
                     "disable" => SslMode::Disable,
                     "prefer" => SslMode::Prefer,
                     "require" => SslMode::Require,
+                    "verify-ca" => SslMode::VerifyCa,
+                    "verify-full" => SslMode::VerifyFull,
                     _ => return Err(Error::config_parse(Box::new(InvalidValue("sslmode")))),
                 };
                 self.ssl_mode(mode);
diff --git a/tokio-postgres/src/connect_tls.rs b/tokio-postgres/src/connect_tls.rs
index 5ef21ac5c..af89c4fc4 100644
--- a/tokio-postgres/src/connect_tls.rs
+++ b/tokio-postgres/src/connect_tls.rs
@@ -22,6 +22,11 @@ where
             return Ok(MaybeTlsStream::Raw(stream))
         }
         SslMode::Prefer | SslMode::Require => {}
+        SslMode::VerifyCa | SslMode::VerifyFull => {
+            // The user of this lib must handle TLS verification themselves
+            // and set config ssl mode to Require before calling connect_tls()
+            return Err(Error::tls("TLS verification was not handled".into()));
+        }
     }
 
     let mut buf = BytesMut::new();