Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore: Enable TLS connection to postgres on newer OTP versions #4

Closed
3 tasks done
nwittstruck opened this issue Dec 25, 2023 · 0 comments · Fixed by #5
Closed
3 tasks done

chore: Enable TLS connection to postgres on newer OTP versions #4

nwittstruck opened this issue Dec 25, 2023 · 0 comments · Fixed by #5

Comments

@nwittstruck
Copy link
Contributor

nwittstruck commented Dec 25, 2023

Description

The upgrade to otp 25 causes issues in postgrex, see elixir-ecto/postgrex#602 and elixir-ecto/postgrex#463. Besides setting ssl: true, we also need to configure the ssl opts properly, i.e. set verify_peer, indicate the server name and and implement a hostname check.

   ssl: System.get_env("DATABASE_SSL", "true") == "true",
   ssl_opts: [verify: :verify_peer,
               cacerts: :public_key.cacerts_get(), # supported with OTP26
               versions: [:"tlsv1.3"],
               depth: 3,
               server_name_indication: String.to_charlist(System.get_env("DATABASE_HOST")),
               customize_hostname_check: [
                match_fun: :public_key.pkix_verify_hostname_match_fun(:https)
               ]
              ]

How SSL/TLS work in elixir in general:
https://erlef.github.io/security-wg/secure_coding_and_deployment_hardening/ssl

Checklist

  • Make sure that non-ssl still works for local development
  • Test connection in production
  • Upgrade elixir, otp and postgrex
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
1 participant