Streamline SSL experience

[josevalim]

@chrismccord, let me know if this works. For now, this means you need to explicitly set ssl: :verify_full in your config file but we can support "ssl=verify_full" via query string too.

[wojtekmach]

Just one comment about charlist and this is good to go. I tested it on DigitalOcean and it worked!

Mix.install([
  {:postgrex, github: "elixir-ecto/postgrex", branch: "jv-add-ssl-verify-full"}
])

{:ok, pid} =
  Postgrex.start_link(
    hostname: System.fetch_env!("DO_HOST"),
    port: 25060,
    username: "doadmin",
    password: System.fetch_env!("DO_PASSWORD"),
    database: "defaultdb",
    ssl: :verify_full,
    ssl_opts: [
      cacertfile: "/Users/wojtek/Downloads/ca-certificate.crt"
    ]
  )

IO.inspect(Postgrex.query!(pid, "SELECT NOW()", []))

[josevalim]

@voltone, please let me know if you have thoughts here, the goal is to mirror this in myxql as well.

[chrismccord]

[voltone]

There are a few more places in the docs where ssl options are described, including for example the endpoints list under "Failover with SSL support". I don't have time right now to trace the behavior of endpoints and understand the implications to propose updates, sorry. Thought I'd give my feedback now before this gets merged. I might have time tonight...

[josevalim]

Thank you @voltone, I believe I have addressed all of your concerns. However, there is one problem, we are always setting server_name_indicator, even in the cases where we would previously set only ssl: true (i.e. when verify: :verify_none). Let me know if this can be a concern because then we can set server_name_indicator: disabled instead.

[josevalim]

However, there is one problem, we are always setting server_name_indicator, even in the cases where we would previously set only ssl: true (i.e. when verify: :verify_none)

From some tests this does not seem to be an issue and, if it happens, folks can always set it to :disabled.

[wojtekmach]

I tested this on Supabase, CockroachDB, Neon, DigitalOcean PostgreSQL, and PlanetScale (which is MySQL, but same idea) and it works well! I'll work on similar change for MyXQL soon.

[josevalim]

💚 💙 💜 💛 ❤️

[ruslandoga]

👋

It seems like setting ?ssl=true overwrites the keyword options provided in config. E.g.

config :app, Repo,
  url: "ecto://postgresql://your_username:[email protected]:25060/defaultdb?ssl=true",
  ssl: [cacertfile: "/path/to/cacert.pem"]

results in

Postgrex.child_spec([repo: Repo, ssl: true, ...])

and a warning

[warning] setting ssl: true on your database connection offers only limited protection, as the server's certificate is not verified. Set "ssl: [cacertfile: path/to/file]" instead

I wonder if URL parsing logic should be updated to avoid overwriting ssl cacerts?

[josevalim]

Yes, we should probably fix it in Ecto. Maybe we ignore ssl: true if there is already a list in place (and we emit a warning).