Merge pull request #1728 from Logflare/chore/allow-multiple-ca

chore: add depth option for ssl opts
Logflare · Oct 9, 2023 · 03011fa · 03011fa
2 parents b43252b + 2eead2a
commit 03011fa
Showing 1 changed file with 17 additions and 7 deletions.
diff --git a/config/runtime.exs b/config/runtime.exs
@@ -47,6 +47,22 @@ config :logflare,
              else: nil
            ),
          ssl: System.get_env("DB_SSL") == "true",
+         ssl_opts:
+           if(System.get_env("DB_SSL") == "true",
+             do: [
+               #  ssl opts follow recs here: https://erlef.github.io/security-wg/secure_coding_and_deployment_hardening/ssl
+               verify: :verify_peer,
+               cacerts: :public_key.cacerts_get(),
+               # allow intermediate CA
+               depth: 3,
+               versions: [:"tlsv1.2"],
+               # support wildcard
+               customize_hostname_check: [
+                 match_fun: :public_key.pkix_verify_hostname_match_fun(:https)
+               ]
+             ],
+             else: nil
+           ),
          database: System.get_env("DB_DATABASE"),
          hostname: System.get_env("DB_HOSTNAME"),
          password: System.get_env("DB_PASSWORD"),
@@ -215,16 +231,10 @@ if(File.exists?("cacert.pem") && File.exists?("cert.pem") && File.exists?("cert.
     cacertfile: "cacert.pem",
     certfile: "cert.pem",
     keyfile: "cert.key",
-    verify: :verify_peer,
-    versions: [:"tlsv1.2"],
-    # support wildcard
-    customize_hostname_check: [
-      match_fun: :public_key.pkix_verify_hostname_match_fun(:https)
-    ]
+    verify: :verify_peer
   ]
 
   config :logflare, ssl: ssl_opts
-  config :logflare, Logflare.Repo, ssl_opts: ssl_opts
 end
 
 case System.get_env("LOGFLARE_FEATURE_FLAG_OVERRIDE") do