How to override `checkServerIdentity` for ssl connection?
See original GitHub issueI’m submitting a…
- Question
Current behavior
I can only connect to my google cloud psql instance with rejectUnauthorized: false
.
Expected behavior
I can connect to my google cloud psql instance with rejectUnauthorized: true
.
Minimal reproduction of the problem with instructions
Create a google cloud managed postgresql instance and switch on ssl/tls with the self signed CA. Then try to run migrations on the database from a remote system (like your local workstation).
What is the motivation / use case for changing the behavior?
Googles certificates are badly configured. They give you an ip to connect to, but the ip of the server is not in the list of altnames in the certificate the server provides. You will get this error message when attempting to connect with rejectUnauthorized: true
:
[ERROR] Error: Hostname/IP doesn't match certificate's altnames: "IP: X.X.X.X is not in the cert's list: "
Now one could possibly work around this with implementing a custom checkServerIdentity
function for the tls connection by node which should be more secure than just rejectUnauthorized: false
. Alas db-migrate
expects configuration via a database.json
, not javacript so I cannot implement the checkServerIdentity
function.
So now to the question: How to read the config for db-migrate
from a javacript file?
Environment
yarn list v1.10.1
├─ db-migrate-base@1.5.3
├─ db-migrate-pg@0.4.0
├─ db-migrate-shared@1.2.0
├─ db-migrate-sqlite3@0.3.1
└─ db-migrate@0.11.3
├─ db-migrate-pg@0.4.0
├─ pg-connection-string@0.1.3
├─ pg-pool@2.0.3
├─ pg-types@1.12.1
├─ pg@7.5.0
└─ pgpass@
Additional information:
- Node version: v8.12.0
- Platform: Linux (Ubuntu 18.04)
Issue Analytics
- State:
- Created 5 years ago
- Comments:15 (3 by maintainers)
Top GitHub Comments
Their guide is just wrong. They are crazy fools. Stop using them if they work on this poor level. This kind of advice should be illegal and punished.
Jesus, if I understand it right until recently node-postgres silently disabled cert checking and only enabled it now. I am flubberghasted! They write unbelievable bulls**t like this:
Of course this must fail because a self-signed cert is insecure ffs! Do not use self signed certs, ever!