Add support for sslnegotiation=direct - fixes #1104

Author: porsager

README.md

@@ -988,6 +988,7 @@ const sql = postgres('postgres://username:password@host:port/database', {
   username             : '',            // Username of database user
   password             : '',            // Password of database user
   ssl                  : false,         // true, prefer, require, tls.connect options
+  sslnegotiation       : null,          // direct
   max                  : 10,            // Max number of connections
   max_lifetime         : null,          // Max lifetime in seconds (more info below)
   idle_timeout         : 0,             // Idle connection timeout in seconds

src/connection.js

@@ -51,6 +51,7 @@ const errorFields = {
 
 function Connection(options, queues = {}, { onopen = noop, onend = noop, onclose = noop } = {}) {
   const {
+    sslnegotiation,
     ssl,
     max,
     user,
@@ -262,25 +263,29 @@ function Connection(options, queues = {}, { onopen = noop, onend = noop, onclose
   }
 
   async function secure() {
-    write(SSLRequest)
-    const canSSL = await new Promise(r => socket.once('data', x => r(x[0] === 83))) // S
-
-    if (!canSSL && ssl === 'prefer')
-      return connected()
-
-    socket.removeAllListeners()
-    socket = tls.connect({
+    if (sslnegotiation !== 'direct') {
+      write(SSLRequest)
+      const canSSL = await new Promise(r => socket.once('data', x => r(x[0] === 83))) // S
+  
+      if (!canSSL && ssl === 'prefer')
+        return connected()
+    }
+    
+    const options = {
       socket,
       servername: net.isIP(socket.host) ? undefined : socket.host,
-      ...(ssl === 'require' || ssl === 'allow' || ssl === 'prefer'
-        ? { rejectUnauthorized: false }
-        : ssl === 'verify-full'
-          ? {}
-          : typeof ssl === 'object'
-            ? ssl
-            : {}
-      )
-    })
+    }
+    
+    if (sslnegotiation === 'direct')
+      options.ALPNProtocols = ['postgresql']
+    
+    if (ssl === 'require' || ssl === 'allow' || ssl === 'prefer')
+      options.rejectUnauthorized = false
+    else if (typeof ssl === 'object')
+      Object.assign(options, ssl)
+    
+    socket.removeAllListeners()
+    socket = tls.connect(options)
     socket.on('secureConnect', connected)
     socket.on('error', error)
     socket.on('close', closed)

src/index.js

@@ -448,6 +448,7 @@ function parseOptions(a, b) {
   const defaults = {
     max             : 10,
     ssl             : false,
+    sslnegotiation  : null,
     idle_timeout    : null,
     connect_timeout : 30,
     max_lifetime    : max_lifetime,

tests/bootstrap.js

@@ -20,7 +20,7 @@ exec('psql', ['-c', 'alter database postgres_js_test owner to postgres_js_test']
 
 export function exec(cmd, args) {
   const { stderr } = spawnSync(cmd, args, { stdio: 'pipe', encoding: 'utf8' })
-  if (stderr && !stderr.includes('already exists') && !stderr.includes('does not exist'))
+  if (stderr && !stderr.includes('already exists') && !stderr.includes('does not exist') && !stderr.includes('WARNING:'))
     throw stderr
 }
 

tests/index.js

@@ -401,6 +401,17 @@ t('Connect using SSL require', async() =>
   }))]
 )
 
+t('Connect using SSL direct', async() => {
+  const [{ supported }] = await sql`select current_setting('server_version_num')::int >= 180000 as supported`
+  return [true, !supported || (await new Promise((resolve, reject) => {
+    postgres({
+      ssl: 'require',
+      sslnegotiation: 'direct',
+      idle_timeout
+    })`select 1`.then(() => resolve(true), reject)
+  }))]
+})
+
 t('Connect using SSL prefer', async() => {
   await exec('psql', ['-c', 'alter system set ssl=off'])
   await exec('psql', ['-c', 'select pg_reload_conf()'])