postgres: Use 'postgresql' ALPN for SSL connections

danielfrankcom · danielfrankcom · commit fac2fa953a44 · 2025-08-21T12:31:32.000-07:00
diff --git a/sqlx-core/Cargo.toml b/sqlx-core/Cargo.toml
@@ -46,7 +46,7 @@ async-std = { workspace = true, optional = true }
 tokio = { workspace = true, optional = true }
 
 # TLS
-native-tls = { version = "0.2.10", optional = true }
+native-tls = { version = "0.2.10", features = ["alpn"], optional = true }
 
 rustls = { version = "0.23.24", default-features = false, features = ["std", "tls12"], optional = true }
 webpki-roots = { version = "0.26", optional = true }
diff --git a/sqlx-core/src/net/tls/mod.rs b/sqlx-core/src/net/tls/mod.rs
@@ -64,6 +64,7 @@ pub struct TlsConfig<'a> {
     pub root_cert_path: Option<&'a CertificateInput>,
     pub client_cert_path: Option<&'a CertificateInput>,
     pub client_key_path: Option<&'a CertificateInput>,
+    pub alpn_protocols: Option<Vec<&'a str>>,
 }
 
 pub async fn handshake<S, Ws>(
diff --git a/sqlx-core/src/net/tls/tls_native_tls.rs b/sqlx-core/src/net/tls/tls_native_tls.rs
@@ -53,6 +53,10 @@ pub async fn handshake<S: Socket>(
         builder.add_root_certificate(native_tls::Certificate::from_pem(&data).map_err(Error::tls)?);
     }
 
+    if let Some(protocols) = config.alpn_protocols {
+        builder.request_alpns(&protocols);
+    }
+
     // authentication using user's key-file and its associated certificate
     if let (Some(cert_path), Some(key_path)) = (config.client_cert_path, config.client_key_path) {
         let cert_path = cert_path.data().await?;
diff --git a/sqlx-core/src/net/tls/tls_rustls.rs b/sqlx-core/src/net/tls/tls_rustls.rs
@@ -123,7 +123,7 @@ where
         }
     };
 
-    let config = if tls_config.accept_invalid_certs {
+    let mut config = if tls_config.accept_invalid_certs {
         if let Some(user_auth) = user_auth {
             config
                 .dangerous()
@@ -180,6 +180,15 @@ where
         }
     };
 
+    if let Some(alpn_protocols) = tls_config.alpn_protocols {
+        let alpn_protocols: Vec<Vec<u8>> = alpn_protocols
+            .into_iter()
+            .map(|s| s.as_bytes().to_vec())
+            .collect();
+
+        config.alpn_protocols = alpn_protocols;
+    }
+
     let host = ServerName::try_from(tls_config.hostname.to_owned()).map_err(Error::tls)?;
 
     let mut socket = RustlsSocket {
diff --git a/sqlx-mysql/src/connection/tls.rs b/sqlx-mysql/src/connection/tls.rs
@@ -63,6 +63,7 @@ pub(super) async fn maybe_upgrade<S: Socket>(
         root_cert_path: options.ssl_ca.as_ref(),
         client_cert_path: options.ssl_client_cert.as_ref(),
         client_key_path: options.ssl_client_key.as_ref(),
+        alpn_protocols: None,
     };
 
     // Request TLS upgrade
diff --git a/sqlx-postgres/src/connection/tls.rs b/sqlx-postgres/src/connection/tls.rs
@@ -82,6 +82,7 @@ async fn maybe_upgrade<S: Socket>(
         root_cert_path: options.ssl_root_cert.as_ref(),
         client_cert_path: options.ssl_client_cert.as_ref(),
         client_key_path: options.ssl_client_key.as_ref(),
+        alpn_protocols: Some(vec!["postgresql"]),
     };
 
     tls::handshake(socket, config, SocketIntoBox).await

Original file line number	Diff line number	Diff line change
`@@ -64,6 +64,7 @@ pub struct TlsConfig<'a> {`
`64`	`64`	`pub root_cert_path: Option<&'a CertificateInput>,`
`65`	`65`	`pub client_cert_path: Option<&'a CertificateInput>,`
`66`	`66`	`pub client_key_path: Option<&'a CertificateInput>,`
	`67`	`+ pub alpn_protocols: Option<Vec<&'a str>>,`
`67`	`68`	`}`
`68`	`69`
`69`	`70`	`pub async fn handshake<S, Ws>(`