From a86fc6eaaa115318b8c00cdf57c4561d99749b51 Mon Sep 17 00:00:00 2001
From: Daniel Frankcom <frankcom@amazon.com>
Date: Fri, 30 May 2025 16:10:31 -0700
Subject: [PATCH] temp

---
 packages/pg/lib/connection.js                 | 117 ++++++++++--------
 .../test/integration/gh-issues/2085-tests.js  |   2 +-
 2 files changed, 69 insertions(+), 50 deletions(-)

diff --git a/packages/pg/lib/connection.js b/packages/pg/lib/connection.js
index 8045af858..c73c857b6 100644
--- a/packages/pg/lib/connection.js
+++ b/packages/pg/lib/connection.js
@@ -35,6 +35,16 @@ class Connection extends EventEmitter {
     })
   }
 
+  _reportStreamError(error) {
+    const self = this
+
+    // errors about disconnections should be ignored during disconnect
+    if (self._ending && (error.code === 'ECONNRESET' || error.code === 'EPIPE')) {
+      return
+    }
+    self.emit('error', error)
+  }
+
   connect(port, host) {
     const self = this
 
@@ -49,14 +59,7 @@ class Connection extends EventEmitter {
       self.emit('connect')
     })
 
-    const reportStreamError = function (error) {
-      // errors about disconnections should be ignored during disconnect
-      if (self._ending && (error.code === 'ECONNRESET' || error.code === 'EPIPE')) {
-        return
-      }
-      self.emit('error', error)
-    }
-    this.stream.on('error', reportStreamError)
+    this.stream.on('error', self._reportStreamError.bind(self))
 
     this.stream.on('close', function () {
       self.emit('end')
@@ -65,46 +68,6 @@ class Connection extends EventEmitter {
     if (!this.ssl) {
       return this.attachListeners(this.stream)
     }
-
-    this.stream.once('data', function (buffer) {
-      const responseCode = buffer.toString('utf8')
-      switch (responseCode) {
-        case 'S': // Server supports SSL connections, continue with a secure connection
-          break
-        case 'N': // Server does not support SSL connections
-          self.stream.end()
-          return self.emit('error', new Error('The server does not support SSL connections'))
-        default:
-          // Any other response byte, including 'E' (ErrorResponse) indicating a server error
-          self.stream.end()
-          return self.emit('error', new Error('There was an error establishing an SSL connection'))
-      }
-      const options = {
-        socket: self.stream,
-      }
-
-      if (self.ssl !== true) {
-        Object.assign(options, self.ssl)
-
-        if ('key' in self.ssl) {
-          options.key = self.ssl.key
-        }
-      }
-
-      const net = require('net')
-      if (net.isIP && net.isIP(host) === 0) {
-        options.servername = host
-      }
-      try {
-        self.stream = getSecureStream(options)
-      } catch (err) {
-        return self.emit('error', err)
-      }
-      self.attachListeners(self.stream)
-      self.stream.on('error', reportStreamError)
-
-      self.emit('sslconnect')
-    })
   }
 
   attachListeners(stream) {
@@ -117,8 +80,64 @@ class Connection extends EventEmitter {
     })
   }
 
+  _setUpSslConnection() {
+    const self = this
+
+    const options = {
+      socket: self.stream,
+      ALPNProtocols: ['postgresql'],
+    }
+
+    if (self.ssl !== true) {
+      Object.assign(options, self.ssl)
+
+      if ('key' in self.ssl) {
+        options.key = self.ssl.key
+      }
+    }
+
+    const net = require('net')
+    const host = this.stream._host
+    if (host && net.isIP && net.isIP(host) === 0) {
+      options.servername = host
+    }
+    try {
+      self.stream = getSecureStream(options)
+    } catch (err) {
+      return self.emit('error', err)
+    }
+    self.attachListeners(self.stream)
+    this.stream.on('error', self._reportStreamError.bind(self))
+
+    self.emit('sslconnect')
+  }
+
   requestSsl() {
-    this.stream.write(serialize.requestSsl())
+    const self = this
+
+    const direct = false
+
+    if (direct) {
+      self._setUpSslConnection()
+    } else {
+      this.stream.once('data', function (buffer) {
+        const responseCode = buffer.toString('utf8')
+        switch (responseCode) {
+          case 'S': // Server supports SSL connections, continue with a secure connection
+            break
+          case 'N': // Server does not support SSL connections
+            self.stream.end()
+            return self.emit('error', new Error('The server does not support SSL connections'))
+          default:
+            // Any other response byte, including 'E' (ErrorResponse) indicating a server error
+            self.stream.end()
+            return self.emit('error', new Error('There was an error establishing an SSL connection'))
+        }
+
+        self._setUpSslConnection()
+      })
+      this.stream.write(serialize.requestSsl())
+    }
   }
 
   startup(config) {
diff --git a/packages/pg/test/integration/gh-issues/2085-tests.js b/packages/pg/test/integration/gh-issues/2085-tests.js
index d71c55c0d..310d0089a 100644
--- a/packages/pg/test/integration/gh-issues/2085-tests.js
+++ b/packages/pg/test/integration/gh-issues/2085-tests.js
@@ -12,7 +12,7 @@ if (process.env.PGTESTNOSSL) {
 
 suite.testAsync('it should connect over ssl', async () => {
   const ssl = helper.args.native
-    ? 'require'
+    ? 'no-verify'
     : {
         rejectUnauthorized: false,
       }