Closed dar-datsystems closed 2 months ago
found the change https://github.com/elixir-ecto/postgrex/blob/cb9c213e5913f884e68b9690e3ac462999b5bb29/CHANGELOG.md?plain=1#L6
docs should reflect that https://hexdocs.pm/ecto_sql/Ecto.Adapters.Postgres.html
We've updated Neon docs, https://neon.tech/docs/guides/elixir-ecto#configure-ecto, but forgot to update Ecto.SQL. A PR would be appreciated!
This is a breaking change, not a deprecation though.
How is it a breaking change? Passing ssl_opts should still work the same as before?
Hi @josevalim. I guess it could be a combination of our settings with the deprecation. Our Backend just fails to start. We get the aforementioned warning and this error message:
WARNING setting ssl: true on your database connection offers only limited protection, as the server's certificate is not verified. Set "ssl: [cacertfile: path/to/file]" instead
ERROR Postgrex.Protocol (#PID<0.168.0>) failed to connect: ** (DBConnection.ConnectionError) ssl connect: TLS client: In state wait_cert at ssl_handshake.erl:2135 generated CLIENT ALERT: Fatal - Handshake Failure
{bad_cert,hostname_check_failed} - {:tls_alert, {:handshake_failure, ~c"TLS client: In state wait_cert at ssl_handshake.erl:2135 generated CLIENT ALERT: Fatal - Handshake Failure\n {bad_cert,hostname_check_failed}"}}
Our config taken from: OurApp.Repo.config()
is as follows:
[
ssl_opts: [
verify: :verify_peer,
cacertfile: ~c"/app/lib/backend-0.0.1/priv/certificates/ca_cert.pem"
],
timeout: 15000,
hostname: <REDACTED>,
port: <REDACTED>,
migration_port: <REDACTED>,
username: <REDACTED>,
password: <REDACTED>,
database: <REDACTED>,
pool_size: 10,
ssl: true,
ssl_mode: :"verify-full",
migration_timestamps: [type: :naive_datetime_usec],
queue_target: 1000,
queue_interval: 6000,
idle_interval: 10000,
prepare: :named,
migration_lock: :pg_advisory_lock
]
Did you also update the OTP version?
The only possible failure I can think of is that we are now inserting the server_name_indication: https://github.com/elixir-ecto/postgrex/commit/de665e40e34fc1a0e88b14c09ed0912ec477cf68
Perhaps you could add server_name_indication: :disabled
to your ssl_opts? But I would also try to leave it as is and make it work with the server name indication for extra security.
@josevalim We are still on OTP 25. Ecto update didn't correspond to the update of the OTP.
It was the server name indication indeed.
Setting server_name_indication: :disable
in the ssl options fixed the issue.
I think this is a breaking change.
You are correct. This is still pre-1.0, so it is still fine (this and support for Elixir duration are the pending changes before 1.0) but we need update the CHANGELOG appropriately.
Elixir version
1.16.3
Database and Version
PostrgeSQL 16
Postgrex Version
0.18.0
Current behavior
I am conecting to Neon with SSL and have 1 master and 1 read replica
I keep seeing below warning in the logs.
Expected behavior
As per the ecto postgres adapter docs the value for ssl is
true
orfalse
and all options are to be passed in ssl_opts. Is there any change which is not reflected in the docs ?