search

sequinstream / sequin

Stream data out of your Postgres database.
https://sequinstream.com
MIT License
490 stars 16 forks source link

Allow :verify_peer for Kafka TLS connections #592

Open RTLS opened 4 hours ago

RTLS commented 4 hours ago

By default, :brod uses :verify_none for tls connections. To support :verify_peer and other levels of TLS cert verification, we need CA certs to pass to :brod. We can have a default cert but we will also likely need custom certificate uploads as well.

https://hexdocs.pm/brod/authentication.html#elixir-1

import Config

config :brod,
       clients: [
         kafka_client: [
           ssl: [
             verify: :verify_peer,
             cacertfile: "/etc/ssl/certs/ca-certificates.crt",
             depth: 3,
             customize_hostname_check: [
               match_fun: :public_key.pkix_verify_hostname_match_fun(:https)
             ],
           ]
         ]
       ]
RTLS commented 4 hours ago

See erlang :ssl for opts: https://erlef.github.io/security-wg/secure_coding_and_deployment_hardening/ssl.html#server-certificate-verification