0

npgsql driver supports the following parameter sslrootcert=<<certname>> ? this parameter is not honored in the connection string as there is no effect. I have imported the certificate to the webserver and the updated connection string too.

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
varun7447
  • 574
  • 1
  • 6
  • 27

1 Answers1

1

Npgsql currently doesn't allow specifying a certificate via the connection string, you need to provide the certificate programmatically as described in the docs. An issue already tracks specifying the certificate via the connection string.

BTW, did you see documentation saying you could use sslrootcert=<<certname>> anywhere with Npgsql?

Shay Rojansky
  • 15,357
  • 2
  • 40
  • 69
  • I don't see any documentation about sslrootcert in any npgsql documentation. I am using npgsql and AWS RDS postgres. One of my requirement is to use SSL and AWS postgres document has sslrootcert as the parameter `psql -h testpg.cdhmuqifdpib.us-east-1.rds.amazonaws.com -p 5432 \ "dbname=testpg user=testuser sslrootcert=rds-ca-2015-root.pem sslmode=verify-full"` – varun7447 Nov 20 '18 at 19:24
  • Options to psql can't be used as-is on Npgsql - they're two different clients. As I wrote above, you can use SSL with Npgsql, but you have to specify the certificate programmatically. – Shay Rojansky Nov 20 '18 at 19:45
  • Yeah i know they are two different clients but wondering if i just use `sslmode` is enough to connect to AWS RDS postgresql using npgsql or if the `sslrootcert` is needed for rds – varun7447 Nov 20 '18 at 20:54
  • RDS is just PostgreSQL, there's nothing special about it really. Apart from that, specifying a root CA certificate is only needed to verify the server's certificate when it is signed by a non-standard CA - usually this isn't required. Clients typically just have to provide their own certificate for authentication at the server. You can read more about all of this in the PostgreSQL docs. – Shay Rojansky Nov 20 '18 at 23:02
  • According to AWS document the root certificate is provided by AWS. https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_PostgreSQL.html#PostgreSQL.Concepts.General.SSL there is a flag to pass the root certificate. maybe when we import the certificate on to the app server this sslrootcert parameter is not required. – varun7447 Nov 21 '18 at 00:45
  • That's right - if you import the certificate to the trusted root store of your app server, this is probably the best way. You can also specify `Trust Server Certificate=true` to completely bypass validation of the server certificate - but this is less secure and not ideal. Otherwise, you can provide `RemoteCertificateValidationCallback` on NpgsqlConnection, see https://stackoverflow.com/questions/7695438/verify-remote-server-x509certificate-using-ca-certificate-file for more details. – Shay Rojansky Nov 21 '18 at 06:16