From 8a15ed42aebf45c0cfa30d37137e8974010cf174 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=A1bor=20Farkas?= <gabor.farkas@gmail.com>
Date: Tue, 9 Apr 2024 08:39:45 +0200
Subject: [PATCH] PostgreSQL: Fix the verify-ca mode (#85530)

postgres: fix the verify-ca problem
---
 pkg/tsdb/grafana-postgresql-datasource/postgres.go      | 8 ++++++++
 pkg/tsdb/grafana-postgresql-datasource/postgres_test.go | 9 +++++++++
 2 files changed, 17 insertions(+)

diff --git a/pkg/tsdb/grafana-postgresql-datasource/postgres.go b/pkg/tsdb/grafana-postgresql-datasource/postgres.go
index 53e46308857..95b5ec96e1c 100644
--- a/pkg/tsdb/grafana-postgresql-datasource/postgres.go
+++ b/pkg/tsdb/grafana-postgresql-datasource/postgres.go
@@ -224,6 +224,14 @@ func (s *Service) generateConnectionString(dsInfo sqleng.DataSourceInfo) (string
 
 	connStr += fmt.Sprintf(" sslmode='%s'", escape(tlsSettings.Mode))
 
+	// there is an issue with the lib/pq module, the `verify-ca` tls mode
+	// does not work correctly. ( see https://github.com/lib/pq/issues/1106 )
+	// to workaround the problem, if the `verify-ca` mode is chosen,
+	// we disable sslsni.
+	if tlsSettings.Mode == "verify-ca" {
+		connStr += " sslsni=0"
+	}
+
 	// Attach root certificate if provided
 	if tlsSettings.RootCertFile != "" {
 		logger.Debug("Setting server root certificate", "tlsRootCert", tlsSettings.RootCertFile)
diff --git a/pkg/tsdb/grafana-postgresql-datasource/postgres_test.go b/pkg/tsdb/grafana-postgresql-datasource/postgres_test.go
index 2dec40dc837..f5ccc6787f4 100644
--- a/pkg/tsdb/grafana-postgresql-datasource/postgres_test.go
+++ b/pkg/tsdb/grafana-postgresql-datasource/postgres_test.go
@@ -57,6 +57,15 @@ func TestIntegrationGenerateConnectionString(t *testing.T) {
 			tlsSettings: tlsSettings{Mode: "verify-full"},
 			expConnStr:  "user='user' password='password' host='host' dbname='database' sslmode='verify-full'",
 		},
+		{
+			desc:        "verify-ca automatically adds disable-sni",
+			host:        "host:1234",
+			user:        "user",
+			password:    "password",
+			database:    "database",
+			tlsSettings: tlsSettings{Mode: "verify-ca"},
+			expConnStr:  "user='user' password='password' host='host' dbname='database' port=1234 sslmode='verify-ca' sslsni=0",
+		},
 		{
 			desc:        "TCP/port host",
 			host:        "host:1234",