We are making a proof of concept to use a postgres DB with Elixir. To achieve this we are using Postgrex.
Issue
The problem here is we need to connect to the DB using a certificate instead of a username and password. Unfortunately the documentation only has 1 example where one connects via username and password.
It tells you to look into ssl module of Erlang standard library. To be exact you should look at tls_option/0. In the end it is keyword list with values specified in these type specs.
It depends what youâre trying to achieve by using TLS. If you just want to authenticate with a client certificate while obscuring data from passive observers, then just a :certfile option may work, assuming this one file contains the client certificate, any intermediate certificates needed, and the private key. If the private key is stored in a separate file youâd have to pass a :keyfile option as well.
If you want to strongly authenticate the server, to prevent active (MitM) attacks, youâre going to have to pass in a few more options, starting with verify: :verify_peer, the serverâs hostname (using the :server_name_indication option is easiest) and the trusted CA certificates (using the :cacertfile option, which may interfere with selection of the client certificateâs intermediate CA certs).
This is really valuable information. I felt quite lost reading through all of those examples, itâs always good to have some extra directions.
Weâre not completely sure of our implementation, but if we have additional questions weâll be sure to post them in the forum.
As a followup from this discussion I made a PR to improve the docs:
As a newcomer, I truly believe I needed more directions and the docs were at fault. This is my approach to improving them (the simplest approach I could think of, though I am still not convinced itâs enough).
Feel free to drop in with any suggestions on how to improve.