Hi, Fixed in http://trac.calendarserver.org/changeset/15710/CalendarServer/trunk <http://trac.calendarserver.org/changeset/15710/CalendarServer/trunk>
Because pg8000 has a separate kwarg to enable SSL, and because Twisted / endpoints don't have to do anything differently for an SSL connection via pg8000 to succeed, I went with a separate 'ssl' option for the DB config dict instead of adding support for a 'tcps' prefix. Although the pg8000 documentation doesn't state this explicitly, testing shows that enabling this option *requires <http://trac.calendarserver.org/changeset/15714/CalendarServer/trunk>* SSL, and does not merely use SSL if available. The connection will fail if SSL is not available. -dre > On Jun 24, 2016, at 3:50 PM, Andre LaBranche <d...@apple.com> wrote: > > Rebuilding PG with openssl support wasn't that hard. Turns out I already had > openssl installed via brew, so just needed to define a couple env vars. > >> I tried the most naive thing I could think of, > > ... no it's not that simple. Also because that patch is bunk, as the string > slice is off by one, so fails to capture the entire hostname when there is a > tcps: prefix. > >> since I believe none of the parameters we pass down to pg8000 are TLS-aware > > Yes, they are. The one called 'ssl' in pg8000/__init__.py which is a bool. > > After some reckless hacking, I got this to work, verified by the fact that my > PG server is configured to allow only connections that use SSL. I'll clean > this up and do some more testing before committing. > > -dre > _______________________________________________ > calendarserver-dev mailing list > calendarserver-dev@lists.macosforge.org > https://lists.macosforge.org/mailman/listinfo/calendarserver-dev
_______________________________________________ calendarserver-dev mailing list calendarserver-dev@lists.macosforge.org https://lists.macosforge.org/mailman/listinfo/calendarserver-dev
