Depreciation warning for ACE with postgres

Atlassian Developer Tools
1

Hi,
When using atlassian-connect-express with postgres, the following depreciation warning appears at app startup:

DeprecationWarning: Implicit disabling of certificate verification is
deprecated and will be removed in pg 8. Specify `rejectUnauthorized:
true` to require a valid CA or `rejectUnauthorized: false` to
explicitly opt out of MITM protection.

This is a known problem with node-pg: Not connecting to database in version 7.18.1 with ssl=true: unsupported frontend protocol · Issue #2089 · brianc/node-postgres · GitHub

The problem with ACE is that we can’t (or at least I don’t know how) set the configuration for the pg connection. In ACE the connection is configured in config.json, and adding the TLS config there has no effect as the additional configuration parameters are not read by ACE.

My impression is that it’s somewhat urgent to fix this.

This is also related to Force ssl database connection with ACE and [ACEJS-141] - Ecosystem Jira

2 Likes
2

Tagging @nmansilla : What is the best way to report this / get a response or confirmation? I haven’t opened a ticket yet.

3

Our solution to this problem was to write our own storage adapter (based on the ACE one), and add specific dialectOptions.

1 Like
4

Where’s the right place to open issues against ACE? This is something that should get patched in ACE at some point.

5

@BobBergman I’ve tried DEVHELP in the past, and that seemed to not work.
Then I did a pull request for ACE template for the updated security requirements, and that got rewritten and merged.

For another issue I also did a pull request. However no feedback.

1 Like
6

This issue has been resolved in ACE by commit atlassian / atlassian-connect-express / commit / 071610cdf2db — Bitbucket and is released from ACE 4.2.0 on.

That means you can add e.g.

dialectOptions: { ssl: { rejectUnauthorized: true } }

to config.json

1 Like