Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

sslmode does not support allow, prefer, require, disable #158

Open
jiezhen-chen opened this issue May 12, 2023 · 1 comment
Open

sslmode does not support allow, prefer, require, disable #158

jiezhen-chen opened this issue May 12, 2023 · 1 comment
Labels
enhancement New feature or request

Comments

@jiezhen-chen
Copy link
Contributor

jiezhen-chen commented May 12, 2023
edited
Loading

Driver version

2.0.910

Redshift version

PostgreSQL 8.0.2 on i686-pc-linux-gnu, compiled by GCC gcc (GCC) 3.4.2 20041017 (Red Hat 3.4.2-6.fc3), Redshift 1.0.49780

Client Operating System

macos monterey 12.6.2

Python version

3.11

Table schema

Does not apply

Problem description

  1. Expected behaviour:
    In postgreSQL, these 5 parameters are allowed values for sslmode. However, redshift_connector only allows for verify-ca, and verify-full for this parameter. Redshift_connector also has ssl as a parameter.

  2. Actual behaviour:
    There are a few problems with this difference between postgreSQL and redshift_connector:
    a. To disable ssl, users using redshift_connector has to set ssl = False. Simply setting sslmode = disable will not set ssl to false. Since disable is not a recognizable value of sslmode in redshift_connector, redshift_connector will use the default of 'verify-ca' to make the connection.
    b. According to the PostgreSQL doc, the accepted values of sslmode behave as below:

disable
only try a non-SSL connection

allow
first try a non-SSL connection; if that fails, try an SSL connection

prefer (default)
first try an SSL connection; if that fails, try a non-SSL connection

require
only try an SSL connection. If a root CA file is present, verify the certificate in the same way as if verify-ca was specified

verify-ca
only try an SSL connection, and verify that the server certificate is issued by a trusted certificate authority (CA)

verify-full
only try an SSL connection, verify that the server certificate is issued by a trusted CA and that the requested server host name matches that in the certificate

Redshift_connector should also increase the values accepted by sslmode to align with PostgreSQL docs

After some investigation, here is a detailed table on the behavior of sslmode of redshift_connector and psycopg2:

sslmode behavior in redshift connector (ssl, sslmode) behavior in psycopg2 connector (sslmode)
disable ssl=defaulted to true, sslmode=verify-ca (sslmode of disable is not recognized by redshift_connector, therefore falling back to default of verify-ca) sslmode=disable
allow ssl=defaulted to true, sslmode=verify-ca first try with sslmode=disable, if fails, try with sslmode=verify-ca
prefer ssl=defaulted to true, sslmode=verify-ca first try with sslmode=verify-ca, if fails, try with sslmode=disable
require ssl=defaulted to true, sslmode=verify-ca ssl=true, sslmode=verify-ca
verify-ca ssl=defaulted to true, sslmode=verify-ca ssl=true, sslmode=verify-ca
verify-full ssl=defaulted to true, sslmode=verify-full ssl=true, sslmode=verify-full
@Brooke-white
Copy link
Contributor

Hi Jessie,

thanks for opening this issue. we are in discussions with the redshift driver team around next steps in addressing this. once we have determined next steps, I will provide an update here.

@Brooke-white Brooke-white added the enhancement New feature or request label Jun 21, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Brooke-white @jiezhen-chen