Depreciation warning for ACE with postgres

Hi,
When using atlassian-connect-express with postgres, the following depreciation warning appears at app startup:

DeprecationWarning: Implicit disabling of certificate verification is
deprecated and will be removed in pg 8. Specify `rejectUnauthorized:
true` to require a valid CA or `rejectUnauthorized: false` to
explicitly opt out of MITM protection.

This is a known problem with node-pg: https://github.com/brianc/node-postgres/issues/2089

The problem with ACE is that we can’t (or at least I don’t know how) set the configuration for the pg connection. In ACE the connection is configured in config.json, and adding the TLS config there has no effect as the additional configuration parameters are not read by ACE.

My impression is that it’s somewhat urgent to fix this.

This is also related to Force ssl database connection with ACE and https://ecosystem.atlassian.net/browse/ACEJS-141

2 Likes

Tagging @nmansilla : What is the best way to report this / get a response or confirmation? I haven’t opened a ticket yet.

Our solution to this problem was to write our own storage adapter (based on the ACE one), and add specific dialectOptions.

1 Like

Where’s the right place to open issues against ACE? This is something that should get patched in ACE at some point.

@BobBergman I’ve tried DEVHELP in the past, and that seemed to not work.
Then I did a pull request for ACE template for the updated security requirements, and that got rewritten and merged.

For another issue I also did a pull request. However no feedback.

1 Like

This issue has been resolved in ACE by commit https://bitbucket.org/atlassian/atlassian-connect-express/commits/071610cdf2dbaaabbcd7aa4e931462d68208784f and is released from ACE 4.2.0 on.

That means you can add e.g.

dialectOptions: { ssl: { rejectUnauthorized: true } }

to config.json

1 Like