From 10f275b9b8fcc3c0692a996ca788f710ff7e620f Mon Sep 17 00:00:00 2001 From: Andreas Motl Date: Sun, 16 Feb 2025 12:38:11 +0100 Subject: [PATCH] Add canonical PostgreSQL client parameter `sslmode` This implements `sslmode=prefer` to connect to SSL-enabled CrateDB instances without verifying the host name. --- CHANGES.md | 5 +++++ src/sqlalchemy_cratedb/dialect.py | 6 +++++- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/CHANGES.md b/CHANGES.md index 2fba45ed..ca5ee5b9 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -1,6 +1,11 @@ # Changelog ## Unreleased +- Added canonical [PostgreSQL client parameter `sslmode`], implementing + `sslmode=prefer` to connect to SSL-enabled CrateDB instances without + verifying the host name. + +[PostgreSQL client parameter `sslmode`]: https://www.postgresql.org/docs/current/libpq-ssl.html#LIBPQ-SSL-PROTECTION ## 2025/01/30 0.41.0 - Dependencies: Updated to `crate-2.0.0`, which uses `orjson` for JSON marshalling diff --git a/src/sqlalchemy_cratedb/dialect.py b/src/sqlalchemy_cratedb/dialect.py index 90102a78..dec68852 100644 --- a/src/sqlalchemy_cratedb/dialect.py +++ b/src/sqlalchemy_cratedb/dialect.py @@ -228,8 +228,12 @@ def connect(self, host=None, port=None, *args, **kwargs): servers = to_list(server) if servers: use_ssl = asbool(kwargs.pop("ssl", False)) - if use_ssl: + # TODO: Switch to the canonical default `sslmode=prefer` later. + sslmode = kwargs.pop("sslmode", "disable") + if use_ssl or sslmode in ["allow", "prefer", "require", "verify-ca", "verify-full"]: servers = ["https://" + server for server in servers] + if sslmode == "require": + kwargs["verify_ssl_cert"] = False return self.dbapi.connect(servers=servers, **kwargs) return self.dbapi.connect(**kwargs)