Summary
Explore adding TLS 1.3 support to both the PostgreSQL and Redis drivers. Currently both drivers reject TLS connections (sslmode=require for PG, rediss:// for Redis) with a clear error message pointing here.
Why
Every cloud-hosted database service (AWS RDS, Cloud SQL, ElastiCache, Redis Cloud, Aiven, etc.) mandates TLS for in-transit encryption. Without TLS, the drivers are limited to VPC/loopback deployments.
Spike questions to answer
-
Event loop integration: The standalone epoll/io_uring loop operates on raw fds via unix.Read/unix.Write. Go's crypto/tls operates on net.Conn. How do we bridge these?
- Option A: Wrap the fd in
net.FileConn, then wrap in tls.Client. The TLS conn does blocking I/O on a goroutine; the event loop is bypassed for TLS connections. Simple but loses the event-loop advantage.
- Option B: Implement TLS record framing manually in the event loop. The event loop reads encrypted bytes, passes them through a TLS state machine, delivers plaintext to the driver. Maximum performance but extreme complexity.
- Option C: Use
tls.Conn for the handshake, then extract the symmetric keys and do record encryption/decryption inline in the event loop. Middle ground.
-
PostgreSQL SSLRequest flow: PG uses a custom SSL negotiation — client sends SSLRequest (8 bytes), server responds S (proceed) or N (reject), then standard TLS handshake begins. How does this interact with the startup state machine?
-
Redis TLS: Redis uses standard TLS on connect (no protocol-level negotiation). The rediss:// scheme signals TLS. Simpler than PG.
-
Certificate verification: Support sslmode=verify-ca and sslmode=verify-full (PG). For Redis, support custom CA certs and client certificates.
-
Performance impact: TLS adds ~1-2ms to connection setup and ~5-10µs per operation (AES-GCM hardware acceleration on modern CPUs). Benchmark the overhead.
Acceptance criteria for the spike
Out of scope for the spike
- mTLS (mutual TLS / client certificates) — follow-up issue
- STARTTLS upgrade mid-connection — not supported by PG or Redis
Summary
Explore adding TLS 1.3 support to both the PostgreSQL and Redis drivers. Currently both drivers reject TLS connections (
sslmode=requirefor PG,rediss://for Redis) with a clear error message pointing here.Why
Every cloud-hosted database service (AWS RDS, Cloud SQL, ElastiCache, Redis Cloud, Aiven, etc.) mandates TLS for in-transit encryption. Without TLS, the drivers are limited to VPC/loopback deployments.
Spike questions to answer
Event loop integration: The standalone epoll/io_uring loop operates on raw fds via
unix.Read/unix.Write. Go'scrypto/tlsoperates onnet.Conn. How do we bridge these?net.FileConn, then wrap intls.Client. The TLS conn does blocking I/O on a goroutine; the event loop is bypassed for TLS connections. Simple but loses the event-loop advantage.tls.Connfor the handshake, then extract the symmetric keys and do record encryption/decryption inline in the event loop. Middle ground.PostgreSQL SSLRequest flow: PG uses a custom SSL negotiation — client sends
SSLRequest(8 bytes), server respondsS(proceed) orN(reject), then standard TLS handshake begins. How does this interact with the startup state machine?Redis TLS: Redis uses standard TLS on connect (no protocol-level negotiation). The
rediss://scheme signals TLS. Simpler than PG.Certificate verification: Support
sslmode=verify-caandsslmode=verify-full(PG). For Redis, support custom CA certs and client certificates.Performance impact: TLS adds ~1-2ms to connection setup and ~5-10µs per operation (AES-GCM hardware acceleration on modern CPUs). Benchmark the overhead.
Acceptance criteria for the spike
sslmode=requireconnecting to a TLS-enabled PG serverrediss://connecting to a TLS-enabled Redis serverOut of scope for the spike