v0.8.5

This release adds the TLS termination for incoming Postgres clients, enabling various SSL modes. From now on, GatewayD will act as a TLS server when new clients are trying to connect via any supported SSL mode. For now, the traffic between GatewayD and Postgres will still be in plaintext, yet the traffic between GatewayD and the clients, e.g. psql, will be encrypted.

TLS works differently in Postgres than other databases. In Postgres, the first message is a SSLRequest, instead of TLS handshake request, which the server should either reply with an S to acknowledge that the server supports TLS and the client can initiate TLS handshake or an N to reject SSL request altogether (and possibly continue with plaintext communication). Postgres clients have six SSL modes:

• disable: client tries to connect with SSL disabled, and the first request will be a StartupMessage.
• allow: client authenticates with SSL if server enforces it (GatewayD doesn't enforce SSL at the moment).
• prefer: tries to connect with an SSLRequest, and if server returns either of the following responses:
  • S: continue with TLS handshake, because the server supports it (GatewayD returns this if TLS is enabled).
  • N: continue with a StartupMessage, because the server doesn't support TLS (GatewayD return this if TLS is disabled).
• require: requires SSL and fails if the server doesn't support it, which results in these scenarios:
  • Server supports SSL: TLS handshake happens between the client and the server.
  • Server doesn't support SSL: client receives an N and will get disconnected.
• verify-ca and verify-full: verifies server certificates and chain of trust (See: #365 (comment)).

Note
All the SSL modes are tested and supported. Also, GatewayD doesn't enforce TLS, unless the client requests it.

What's Changed

• TLS termination for incoming client connection by @mostafa in #364

Full Changelog: v0.8.4...v0.8.5