From ec405ccfe6b637e13e085092d13a6cb8ffb9cba9 Mon Sep 17 00:00:00 2001
From: Luigi Dragone <72573019+ldragone@users.noreply.github.com>
Date: Sat, 30 Aug 2025 19:52:44 +0200
Subject: [PATCH] Direct TLS support

---
 README.md         |  2 +-
 src/connection.js | 20 +++++++++++++++++++-
 types/index.d.ts  |  2 +-
 3 files changed, 21 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index b04ac21c..34b81ff7 100644
--- a/README.md
+++ b/README.md
@@ -987,7 +987,7 @@ const sql = postgres('postgres://username:password@host:port/database', {
   database             : '',            // Name of database to connect to
   username             : '',            // Username of database user
   password             : '',            // Password of database user
-  ssl                  : false,         // true, prefer, require, tls.connect options
+  ssl                  : false,         // true, prefer, require, direct, tls.connect options
   max                  : 10,            // Max number of connections
   max_lifetime         : null,          // Max lifetime in seconds (more info below)
   idle_timeout         : 0,             // Idle connection timeout in seconds
diff --git a/src/connection.js b/src/connection.js
index c3f554aa..37a2a9ca 100644
--- a/src/connection.js
+++ b/src/connection.js
@@ -336,7 +336,11 @@ function Connection(options, queues = {}, { onopen = noop, onend = noop, onclose
     if (options.socket)
       return ssl ? secure() : connected()
 
-    socket.on('connect', ssl ? secure : connected)
+    if (ssl === 'direct') {
+      socket.on('connect', directTLS)
+    } else {
+      socket.on('connect', ssl ? secure : connected)
+    }
 
     if (options.path)
       return socket.connect(options.path)
@@ -349,6 +353,20 @@ function Connection(options, queues = {}, { onopen = noop, onend = noop, onclose
     hostIndex = (hostIndex + 1) % port.length
   }
 
+    function directTLS() {
+        socket.removeAllListeners()
+        socket = tls.connect({
+            socket,
+            servername: net.isIP(socket.host) ? undefined : socket.host,
+            ALPNProtocols: ['postgresql'],
+            rejectUnauthorized: false
+        })
+        socket.on('secureConnect', connected)
+        socket.on('error', error)
+        socket.on('close', closed)
+        socket.on('drain', drain)
+    }
+
   function reconnect() {
     setTimeout(connect, closedDate ? closedDate + delay - performance.now() : 0)
   }
diff --git a/types/index.d.ts b/types/index.d.ts
index eb604918..d1bc4f12 100644
--- a/types/index.d.ts
+++ b/types/index.d.ts
@@ -44,7 +44,7 @@ interface BaseOptions<T extends Record<string, postgres.PostgresType>> {
    * How to deal with ssl (can be a tls.connect option object)
    * @default false
   */
-  ssl: 'require' | 'allow' | 'prefer' | 'verify-full' | boolean | object;
+  ssl: 'require' | 'allow' | 'prefer' | 'verify-full' | 'direct' | boolean | object;
   /**
    * Max number of connections
    * @default 10