Description
Feature Description
The Cloud SQL Python Connector currently only supports verify-ca
as it's highest level of SSL/TLS client verification.
verify-ca: verify that the server is trustworthy by checking the certificate chain up to the root certificate
We are only getting verify-ca level of security due to hostname verification
being disabled currently .
We should support verify-full as it is the highest level of security.
verify-full: will also verify that the server host name matches the name stored in the server certificate
To do so we must support hostname verification.
For Public IP and PSA Private IP connections, the server certificate's
subject CN field in the server certificate will contain the instance name
in the form "{project}:{instance}". The python connector should validate
that this is correctly set during the TLS handshake. The connector should
reject the connection if this the server CN is not set correctly.
Unfortunately for PSC enabled and CAS-based instances hostname
verification is not possible. This is due to the server certificates including
the DNS name as a SAN which include a trailing dot ("."). Python's SSL does
not allow trailing dots during hostname verification, it requires stripping them.
This leads to hostname mismatch errors as the SAN is expecting a trailing dot.
See also: GoogleCloudPlatform/cloud-sql-jdbc-socket-factory#1995