Non-tls connections broken by deno 1.10 release
voltrevo opened this issue · comments
On deno 1.9.2, when starting a non-tls connection, I get this output:
Sending fatal alert BadCertificate
TLS connection failed with message: invalid certificate: UnknownIssuer
Defaulting to non-encrypted connection
On deno 1.10.1, it changes to:
Sending fatal alert BadCertificate
error: Uncaught (in promise) InvalidData: invalid certificate: UnknownIssuer
...
In my investigation, it appears that deno 1.10.1 changes the behaviour of Deno.startTls
so that it no longer throws here:
this.#conn = await Deno.startTls(this.#conn, { hostname });
https://github.com/denodrivers/postgres/blob/5b40f16/connection/connection.ts#L266
Instead it throws when actually using the connection for the first time here:
const startup_response = await this.sendStartupMessage();
https://github.com/denodrivers/postgres/blob/5b40f16/connection/connection.ts#L296
This is a problem because the non-tls fallback is relying on Deno.startTls
throwing. When it instead throws on usage, it's handled by closing the connection and re-throwing.
Had to switch to AWS, now running into this myself. Solved it in my case by turning SSL off entirely on the RDS DB.
How about an option that forces SSL on or off? I believe currently there is "force on" only where the client still attempts to upgrade the connection. Or, if people don't like that, at least an option that forces SSL off?
@cryptogohan The only reason why users would want to switch TLS off from the driver is if they would want to connect to a server with an invalid certificate without having to use TLS. However, there is a miriad of problems that can arise from having a server with a non-secure connection access, so I just prefer to warn the users about this whenever possible
The usual behavior of the driver is to downgrade to a non-TLS connection on Deno versions 1.10 and below, this will be fixed in the next deno-postgres release