Skip to content

fix: cheaper hostname/SAN check#1194

Open
ferhatelmas wants to merge 2 commits into
masterfrom
ferhat/cheaper-identity
Open

fix: cheaper hostname/SAN check#1194
ferhatelmas wants to merge 2 commits into
masterfrom
ferhat/cheaper-identity

Conversation

@ferhatelmas

Copy link
Copy Markdown
Member

What kind of change does this PR introduce?

Bug fix

What is the current behavior?

Node gets certificate and delivers it to the default identity checker, which always fails with IPs. This default does identity matching and error construction (allocation), then discards it.

What is the new behavior?

Replace identity checker with noop.

Additional context

Certificate extraction price will still be paid (will check session resumption separately).

Signed-off-by: ferhat elmas <elmas.ferhat@gmail.com>
@ferhatelmas ferhatelmas requested a review from a team as a code owner July 2, 2026 19:54
Copilot AI review requested due to automatic review settings July 2, 2026 19:54

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR optimizes Postgres TLS connection setup for IP-based hosts (e.g., PgBouncer) by bypassing Node’s default hostname/SAN identity checking to avoid unnecessary work when the hostname is an IP address.

Changes:

  • Add a no-op checkServerIdentity callback for IP-host connections in getSslSettings.
  • Extend unit tests to assert checkServerIdentity behavior for IP hosts and absence for named hosts.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
src/internal/database/ssl.ts Adds a no-op checkServerIdentity in the IP-host SSL settings path.
src/internal/database/ssl.test.ts Updates tests to assert presence/behavior of checkServerIdentity for IP hosts.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment on lines +40 to +44
return {
secureContext,
rejectUnauthorized: false,
checkServerIdentity: dontCheckServerIdentity,
}
Comment thread src/internal/database/ssl.test.ts Outdated
@coveralls

coveralls commented Jul 2, 2026

Copy link
Copy Markdown

Coverage Report for CI Build 28618583063

Coverage increased (+0.001%) to 78.822%

Details

  • Coverage increased (+0.001%) from the base build.
  • Patch coverage: 2 of 2 lines across 1 file are fully covered (100%).
  • No coverage regressions found.

Uncovered Changes

No uncovered changes found.

Coverage Regressions

No coverage regressions found.


Coverage Stats

Coverage Status
Relevant Lines: 12209
Covered Lines: 10065
Line Coverage: 82.44%
Relevant Branches: 7028
Covered Branches: 5098
Branch Coverage: 72.54%
Branches in Coverage %: Yes
Coverage Strength: 422.84 hits per line

💛 - Coveralls

Signed-off-by: ferhat elmas <elmas.ferhat@gmail.com>

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated no new comments.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants