Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NoHostnameTlsVerifier does not work with rustls v0.23.24 or later #3793

Open
philipahlberg opened this issue Mar 18, 2025 · 0 comments
Open

NoHostnameTlsVerifier does not work with rustls v0.23.24 or later #3793

philipahlberg opened this issue Mar 18, 2025 · 0 comments
Labels
bug

Comments

@philipahlberg
Copy link

philipahlberg commented Mar 18, 2025
edited
Loading

I have found these related issues/pull requests

N/A

Description

rustls v0.23.24 (release notes here) introduces, among other things, a new variant NotValidForNameContext to the CertificateError enum. As a result, the explicit handling of the variant NotValidForName is no longer sufficient to avoid TLS verification errors relating to a mismatch between the remote hostname and what is specified in the certificate:

sqlx/sqlx-core/src/net/tls/tls_rustls.rs

Line 309 in e474be6

Err(TlsError::InvalidCertificate(CertificateError::NotValidForName)) => {

This enum is marked as #[non_exhaustive], which is presumably why this changed is considered a non-breaking change. Nonetheless, this breaks connections that rely on NoHostnameTlsVerifier.

Reproduction steps

  1. Create a new project using sqlx with the runtime-tokio-rustls feature.
  2. Set up a database with TLS enabled. Ensure the database specifies a DNS name in its certificate.
  3. Connect to the database via its IP address.

The above steps should result in an error.

SQLx version

0.8.3

Enabled SQLx features

runtime-tokio-rustls, postgres, macros, migrate, time, rust_decimal

Database server and version

Postgres 15.2

Operating system

Debian-based

Rust version

1.85
@philipahlberg philipahlberg changed the title NoHostnameTlsVerifier does not handle new variant NotValidForNameContext introduced in rustls v0.23.24 NoHostnameTlsVerifier does not work with rustls v0.23.24 or later Mar 19, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@philipahlberg