From dd9517d10ea23c62347493ace6b9121333abc68d Mon Sep 17 00:00:00 2001
From: TzeYiing <ty@tzeyiing.com>
Date: Mon, 9 Oct 2023 19:28:58 +0800
Subject: [PATCH 1/3] chore: add depth option for ssl opts

---
 config/runtime.exs | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/config/runtime.exs b/config/runtime.exs
index 72cc0c56f..178455d6b 100644
--- a/config/runtime.exs
+++ b/config/runtime.exs
@@ -216,6 +216,8 @@ if(File.exists?("cacert.pem") && File.exists?("cert.pem") && File.exists?("cert.
     certfile: "cert.pem",
     keyfile: "cert.key",
     verify: :verify_peer,
+    # allow unknown CA
+    depth: 3,
     versions: [:"tlsv1.2"],
     # support wildcard
     customize_hostname_check: [

From cf5648d4b030eae4e45080b17edcc8577371c183 Mon Sep 17 00:00:00 2001
From: TzeYiing <ty@tzeyiing.com>
Date: Mon, 9 Oct 2023 19:36:19 +0800
Subject: [PATCH 2/3] chore: move changes to db ssl_opts only

---
 config/runtime.exs | 25 ++++++++++++++++---------
 1 file changed, 16 insertions(+), 9 deletions(-)

diff --git a/config/runtime.exs b/config/runtime.exs
index 178455d6b..df0dcb7c6 100644
--- a/config/runtime.exs
+++ b/config/runtime.exs
@@ -47,6 +47,21 @@ config :logflare,
              else: nil
            ),
          ssl: System.get_env("DB_SSL") == "true",
+         ssl_opts:
+           if(System.get_env("DB_SSL") == "true",
+             do: [
+               verify: :verify_peer,
+               cacerts: :public_key.cacerts_get(),
+               # allow unknown CA
+               depth: 3,
+               versions: [:"tlsv1.2"],
+               # support wildcard
+               customize_hostname_check: [
+                 match_fun: :public_key.pkix_verify_hostname_match_fun(:https)
+               ]
+             ],
+             else: nil
+           ),
          database: System.get_env("DB_DATABASE"),
          hostname: System.get_env("DB_HOSTNAME"),
          password: System.get_env("DB_PASSWORD"),
@@ -215,18 +230,10 @@ if(File.exists?("cacert.pem") && File.exists?("cert.pem") && File.exists?("cert.
     cacertfile: "cacert.pem",
     certfile: "cert.pem",
     keyfile: "cert.key",
-    verify: :verify_peer,
-    # allow unknown CA
-    depth: 3,
-    versions: [:"tlsv1.2"],
-    # support wildcard
-    customize_hostname_check: [
-      match_fun: :public_key.pkix_verify_hostname_match_fun(:https)
-    ]
+    verify: :verify_peer
   ]
 
   config :logflare, ssl: ssl_opts
-  config :logflare, Logflare.Repo, ssl_opts: ssl_opts
 end
 
 case System.get_env("LOGFLARE_FEATURE_FLAG_OVERRIDE") do

From 2eead2a2c71bd054b0ffd18b2c33493c87db70e0 Mon Sep 17 00:00:00 2001
From: TzeYiing <ty@tzeyiing.com>
Date: Mon, 9 Oct 2023 19:37:12 +0800
Subject: [PATCH 3/3] chore: update inline docs

---
 config/runtime.exs | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/config/runtime.exs b/config/runtime.exs
index df0dcb7c6..5e0f8a51f 100644
--- a/config/runtime.exs
+++ b/config/runtime.exs
@@ -50,9 +50,10 @@ config :logflare,
          ssl_opts:
            if(System.get_env("DB_SSL") == "true",
              do: [
+               #  ssl opts follow recs here: https://erlef.github.io/security-wg/secure_coding_and_deployment_hardening/ssl
                verify: :verify_peer,
                cacerts: :public_key.cacerts_get(),
-               # allow unknown CA
+               # allow intermediate CA
                depth: 3,
                versions: [:"tlsv1.2"],
                # support wildcard