[PM-22023] fix: enforce TLS validation for DB connections#1104
Merged
Conversation
9775ef7 to
bab14fb
Compare
b9d1773 to
0faea37
Compare
Initial change file for Least Authority audit finding Issue C — enforce strict TLS validation for PostgreSQL connections. Signed-off-by: Mike Clay <mike.clay@shielded.io>
Signed-off-by: Mike Clay <mike.clay@shielded.io>
Remove PgSslMode::Disable path — plaintext DB connections are no longer permitted regardless of allow_non_ssl setting. The flag is deprecated with a startup warning. When ssl_root_cert is configured, connections use VerifyFull (cert + hostname validation). Without ssl_root_cert, connections fall back to Require (encrypted, no cert validation) with a warning. Add config validation for ssl_root_cert path and unit tests for SSL mode selection logic. Addresses: Least Authority Node DIFF Audit Issue C (High severity) JIRA: PM-22023 Signed-off-by: Mike Clay <mike.clay@shielded.io>
The previous commit removed PgSslMode::Disable entirely, but the node-dev-01 local environment sets ALLOW_NON_SSL=true to connect to a PostgreSQL without SSL. This caused the e2e Local Environment Tests to fail in CI. Restore the Disable path when allow_non_ssl=true with a deprecation warning. The security improvement (VerifyFull when ssl_root_cert is configured, Require as fallback) remains intact for production. Made-with: Cursor Signed-off-by: Mike Clay <mike.clay@shielded.io>
Signed-off-by: Mike Clay <mike.clay@shielded.io>
4d69b0d to
525cb44
Compare
LGLO
reviewed
Apr 17, 2026
m2ux
added a commit
that referenced
this pull request
Apr 17, 2026
…n path The doc comment on allow_non_ssl says 'This flag is ignored — all connections use TLS', but the code still used it to set PgSslMode::Disable (plaintext). This removes the allow_non_ssl parameter from build_ssl_connect_options and get_connection entirely, and adds a runtime warning when the deprecated flag is set in config. Addresses PR #1104 review comment from @LGLO. Signed-off-by: Mike Clay <mike.clay@shielded.io>
…n path The doc comment on allow_non_ssl says 'This flag is ignored — all connections use TLS', but the code still used it to set PgSslMode::Disable (plaintext). This removes the allow_non_ssl parameter from build_ssl_connect_options and get_connection entirely, and adds a runtime warning when the deprecated flag is set in config. Addresses PR #1104 review comment from @LGLO. Signed-off-by: Mike Clay <mike.clay@shielded.io>
d62994f to
e8801a2
Compare
m2ux
added a commit
that referenced
this pull request
Apr 17, 2026
The midnight-node now requires PgSslMode::Require at minimum (the allow_non_ssl flag is truly ignored). The local-environment PostgreSQL container was running without TLS, causing all e2e tests to fail with 'error occurred while attempting to establish a TLS connection: server does not support TLS'. Changes: - Generate a self-signed TLS certificate in the postgres entrypoint - Configure PostgreSQL with ssl=on and the generated cert/key - Set the custom entrypoint in docker-compose so cert generation runs - Remove ALLOW_NON_SSL from cardano entrypoint and well-known configs - Update README to reflect self-signed TLS instead of ALLOW_NON_SSL Fixes e2e test failures on PR #1104. Signed-off-by: Mike Clay <mike.clay@shielded.io>
The midnight-node now requires PgSslMode::Require at minimum (the allow_non_ssl flag is truly ignored). The local-environment PostgreSQL container was running without TLS, causing all e2e tests to fail with 'error occurred while attempting to establish a TLS connection: server does not support TLS'. Changes: - Generate a self-signed TLS certificate in the postgres entrypoint - Configure PostgreSQL with ssl=on and the generated cert/key - Set the custom entrypoint in docker-compose so cert generation runs - Remove ALLOW_NON_SSL from cardano entrypoint and well-known configs - Update README to reflect self-signed TLS instead of ALLOW_NON_SSL Fixes e2e test failures on PR #1104. Signed-off-by: Mike Clay <mike.clay@shielded.io>
27167d6 to
5c1979f
Compare
The custom entrypoint generates self-signed TLS certificates before
calling docker-entrypoint.sh. Previously these were written to
${PGDATA}/ssl (/pgdata/ssl), but the official PostgreSQL entrypoint
runs initdb which requires PGDATA to be empty on first start. The
presence of the ssl/ subdirectory caused initdb to fail with:
initdb: error: directory "/pgdata" exists but is not empty
Move SSL certificate storage to /etc/ssl/postgres (outside PGDATA) so
initdb sees an empty data directory on first initialization.
Signed-off-by: Mike Clay <mike.clay@shielded.io>
The custom entrypoint runs as root and generates SSL certificates, but docker-entrypoint.sh drops privileges to the postgres user. The key file had root-only permissions (chmod 600 owned by root), causing: FATAL: could not load private key file "/etc/ssl/postgres/server.key": Permission denied Add chown postgres:postgres for both the key and cert files so the postgres process can read them after the privilege drop. Signed-off-by: Mike Clay <mike.clay@shielded.io>
Signed-off-by: Mike Clay <mike.clay@shielded.io> Made-with: Cursor
Signed-off-by: Squirrel <giles.cope@shielded.io>
gilescope
approved these changes
Apr 29, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Enforce TLS validation for PostgreSQL connections and eliminate the plaintext connection path, addressing Least Authority audit finding Issue C (PM-22023).
🎫 Ticket 📐 Engineering
Motivation
See engineering plan
Changes
Node runtime — TLS enforcement
node/src/main_chain_follower.rs) — Extractedbuild_ssl_connect_optionsfor testable SSL mode selection; removedallow_non_sslparameter fromget_connectionand all 10 call sites; added deprecation warning whenallow_non_ssl=trueis configurednode/src/cfg/midnight_cfg/mod.rs) — Updated doc comments markingallow_non_sslas deprecated; added#[validate(custom)]path-exists check forssl_root_certLocal environment — self-signed TLS for PostgreSQL
local-env/configurations/postgres/entrypoint.sh) — Generate a self-signed TLS certificate at container startup; store certs outside PGDATA (/etc/ssl/postgres) to avoid conflicting withinitdb;chowncerts topostgresuser so the server can read them after privilege droplocal-env/docker-compose.yml) — Enablessl=onwith generated cert/key paths; set custom entrypoint to run cert generation beforedocker-entrypoint.shlocal-env/configurations/cardano/entrypoint.sh) — RemoveALLOW_NON_SSL=trueenv var (flag is now ignored)node-dev-01,qanet,testnet-02) — RemoveALLOW_NON_SSLfrom all network YAML fileslocal-environment/README.md) — Update note from "ALLOW_NON_SSL=true" to "self-signed TLS certificate"Release notes
audit-enforce-tls-validation-db.md📌 Submission Checklist
🔱 Fork Strategy
🗹 TODO before merging