require verify-ca to specify sslrootcert when sslmode is libpq compat

hjr3 · hjr3 · commit 165b5c6e05da · 2025-04-10T19:10:40.000-04:00
diff --git a/packages/pg-connection-string/README.md b/packages/pg-connection-string/README.md
@@ -88,18 +88,21 @@ Query parameters follow a `?` character, including the following special query p
  * `encoding=<encoding>` - sets the `client_encoding` property
  * `ssl=1`, `ssl=true`, `ssl=0`, `ssl=false` - sets `ssl` to true or false, accordingly
  * `sslcompat=libpq` - use libpq semantics for `sslmode`
+ * `sslmode=<sslmode>` when `sslcompat` is not set
+   * `sslmode=disable` - sets `ssl` to false
+   * `sslmode=no-verify` - sets `ssl` to `{ rejectUnauthorized: false }`
+   * `sslmode=prefer`, `sslmode=require`, `sslmode=verify-ca`, `sslmode=verify-full` - sets `ssl` to true
  * `sslmode=<sslmode>` when `sslcompat=libpq`
    * `sslmode=disable` - sets `ssl` to false
    * `sslmode=prefer` - sets `ssl` to `{ rejectUnauthorized: false }`
    * `sslmode=require` - sets `ssl` to `{ rejectUnauthorized: false }` unless `sslrootcert` is specified, in which case it behaves like `verify-ca`
    * `sslmode=verify-ca` - sets `ssl` to `{ checkServerIdentity: no-op }` (verify CA, but not server identity). This verifies the presented certificate against the effective CA, i.e. the one specified in sslrootcert or the system CA if sslrootcert was not specified.
    * `sslmode=verify-full` - sets `ssl` to `{}` (verify CA and server identity)
- * `sslmode=<sslmode>` when `sslcompat` is not set
-   * `sslmode=disable` - sets `ssl` to false
-   * `sslmode=no-verify` - sets `ssl` to `{ rejectUnauthorized: false }`
-   * `sslmode=prefer`, `sslmode=require`, `sslmode=verify-ca`, `sslmode=verify-full` - sets `ssl` to true
  * `sslcert=<filename>` - reads data from the given file and includes the result as `ssl.cert`
  * `sslkey=<filename>` - reads data from the given file and includes the result as `ssl.key`
  * `sslrootcert=<filename>` - reads data from the given file and includes the result as `ssl.ca`
 
 A bare relative URL, such as `salesdata`, will indicate a database name while leaving other properties empty.
+
+> [!CAUTION]
+> Choosing an sslmode other than verify-full has serious security implications. Please read https://www.postgresql.org/docs/current/libpq-ssl.html#LIBPQ-SSL-SSLMODE-STATEMENTS to understand the trade-offs.
diff --git a/packages/pg-connection-string/index.js b/packages/pg-connection-string/index.js
@@ -107,6 +107,11 @@ function parse(str) {
         break
       }
       case 'verify-ca': {
+        if (!config.ssl.ca) {
+          throw new Error(
+            'SECURITY WARNING: Using sslmode=verify-ca requires specifying a CA with sslrootcert. If a public CA is used, verify-ca allows connections to a server that somebody else may have registered with the CA, making you vulnerable to Man-in-the-Middle attacks. Either specify a custom CA certificate with sslrootcert parameter or use sslmode=verify-full for proper security.'
+          )
+        }
         config.ssl.checkServerIdentity = function () {}
         break
       }
diff --git a/packages/pg-connection-string/test/parse.js b/packages/pg-connection-string/test/parse.js
@@ -256,27 +256,42 @@ describe('parse', function () {
     subject.ssl.should.eql(false)
   })
 
-  it('configuration parameter sslmode=prefer with libpq compatibility', function () {
-    var connectionString = 'pg:///?sslmode=prefer&sslcompat=libpq'
+  it('configuration parameter sslmode=prefer', function () {
+    var connectionString = 'pg:///?sslmode=prefer'
     var subject = parse(connectionString)
-    subject.ssl.should.eql({
-      rejectUnauthorized: false,
-    })
+    subject.ssl.should.eql({})
   })
 
-  it('configuration parameter sslmode=require with libpq compatibility', function () {
-    var connectionString = 'pg:///?sslmode=require&sslcompat=libpq'
+  it('configuration parameter sslmode=require', function () {
+    var connectionString = 'pg:///?sslmode=require'
+    var subject = parse(connectionString)
+    subject.ssl.should.eql({})
+  })
+
+  it('configuration parameter sslmode=verify-ca', function () {
+    var connectionString = 'pg:///?sslmode=verify-ca'
+    var subject = parse(connectionString)
+    subject.ssl.should.eql({})
+  })
+
+  it('configuration parameter sslmode=verify-full', function () {
+    var connectionString = 'pg:///?sslmode=verify-full'
+    var subject = parse(connectionString)
+    subject.ssl.should.eql({})
+  })
+
+  it('configuration parameter ssl=true and sslmode=require still work with sslrootcert=/path/to/ca', function () {
+    var connectionString = 'pg:///?ssl=true&sslrootcert=' + __dirname + '/example.ca&sslmode=require'
     var subject = parse(connectionString)
     subject.ssl.should.eql({
-      rejectUnauthorized: false,
+      ca: 'example ca\n',
     })
   })
 
-  it('configuration parameter sslmode=verify-ca with libpq compatibility', function () {
-    var connectionString = 'pg:///?sslmode=verify-ca&sslcompat=libpq'
+  it('configuration parameter sslmode=disable with libpq compatibility', function () {
+    var connectionString = 'pg:///?sslmode=disable&sslcompat=libpq'
     var subject = parse(connectionString)
-    subject.ssl.should.have.property('checkServerIdentity').that.is.a('function')
-    expect(subject.ssl.checkServerIdentity()).to.be.undefined
+    subject.ssl.should.eql(false)
   })
 
   it('configuration parameter sslmode=prefer with libpq compatibility', function () {
@@ -297,25 +312,24 @@ describe('parse', function () {
 
   it('configuration parameter sslmode=verify-ca with libpq compatibility', function () {
     var connectionString = 'pg:///?sslmode=verify-ca&sslcompat=libpq'
+    expect(function () {
+      parse(connectionString)
+    }).to.throw()
+  })
+
+  it('configuration parameter sslmode=verify-ca and sslrootcert with libpq compatibility', function () {
+    var connectionString = 'pg:///?sslmode=verify-ca&sslcompat=libpq&sslrootcert=' + __dirname + '/example.ca'
     var subject = parse(connectionString)
     subject.ssl.should.have.property('checkServerIdentity').that.is.a('function')
     expect(subject.ssl.checkServerIdentity()).be.undefined
   })
 
-  it('configuration parameter sslmode=verify-full', function () {
-    var connectionString = 'pg:///?sslmode=verify-full'
+  it('configuration parameter sslmode=verify-full with libpq compatibility', function () {
+    var connectionString = 'pg:///?sslmode=verify-full&sslcompat=libpq'
     var subject = parse(connectionString)
     subject.ssl.should.eql({})
   })
 
-  it('configuration parameter ssl=true and sslmode=require still work with sslrootcert=/path/to/ca', function () {
-    var connectionString = 'pg:///?ssl=true&sslrootcert=' + __dirname + '/example.ca&sslmode=require'
-    var subject = parse(connectionString)
-    subject.ssl.should.eql({
-      ca: 'example ca\n',
-    })
-  })
-
   it('configuration parameter ssl=true and sslmode=require still work with sslrootcert=/path/to/ca with libpq compatibility', function () {
     var connectionString = 'pg:///?ssl=true&sslrootcert=' + __dirname + '/example.ca&sslmode=require&sslcompat=libpq'
     var subject = parse(connectionString)

Original file line number	Diff line number	Diff line change
`@@ -107,6 +107,11 @@ function parse(str) {`
`107`	`107`	`break`
`108`	`108`	`}`
`109`	`109`	`case 'verify-ca': {`
	`110`	`+ if (!config.ssl.ca) {`
	`111`	`+ throw new Error(`
	`112`	`+ 'SECURITY WARNING: Using sslmode=verify-ca requires specifying a CA with sslrootcert. If a public CA is used, verify-ca allows connections to a server that somebody else may have registered with the CA, making you vulnerable to Man-in-the-Middle attacks. Either specify a custom CA certificate with sslrootcert parameter or use sslmode=verify-full for proper security.'`
	`113`	`+ )`
	`114`	`+ }`
`110`	`115`	`config.ssl.checkServerIdentity = function () {}`
`111`	`116`	`break`
`112`	`117`	`}`