misc: add proper ssl verification for private certs

2025-03-29 22:02:57 +00:00 · 2025-02-25 18:42:49 +09:00
5 changed files with 3 additions and 5 deletions
--- a/backend/src/ee/services/dynamic-secret/providers/cassandra.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/cassandra.ts
@ -28,7 +28,7 @@ export const CassandraProvider = (): TDynamicProviderFns => {
  };

  const $getClient = async (providerInputs: z.infer<typeof DynamicSecretCassandraSchema>) => {
-    const sslOptions = providerInputs.ca ? { rejectUnauthorized: false, ca: providerInputs.ca } : undefined;
+    const sslOptions = providerInputs.ca ? { ca: providerInputs.ca } : undefined;
    const client = new cassandra.Client({
      sslOptions,
      protocolOptions: {
--- a/backend/src/ee/services/dynamic-secret/providers/elastic-search.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/elastic-search.ts
@ -30,7 +30,6 @@ export const ElasticSearchProvider = (): TDynamicProviderFns => {
        url: new URL(`${providerInputs.host}:${providerInputs.port}`),
        ...(providerInputs.ca && {
          ssl: {
-            rejectUnauthorized: false,
            ca: providerInputs.ca
          }
        })
--- a/backend/src/ee/services/dynamic-secret/providers/rabbit-mq.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/rabbit-mq.ts
@ -96,7 +96,7 @@ export const RabbitMqProvider = (): TDynamicProviderFns => {
      },

      ...(providerInputs.ca && {
-        httpsAgent: new https.Agent({ ca: providerInputs.ca, rejectUnauthorized: false })
+        httpsAgent: new https.Agent({ ca: providerInputs.ca })
      })
    });

--- a/backend/src/ee/services/dynamic-secret/providers/redis.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/redis.ts
@ -65,7 +65,6 @@ export const RedisDatabaseProvider = (): TDynamicProviderFns => {
        password: providerInputs.password,
        ...(providerInputs.ca && {
          tls: {
-            rejectUnauthorized: false,
            ca: providerInputs.ca
          }
        })
--- a/backend/src/ee/services/dynamic-secret/providers/sql-database.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/sql-database.ts
@ -33,7 +33,7 @@ export const SqlDatabaseProvider = (): TDynamicProviderFns => {
  };

  const $getClient = async (providerInputs: z.infer<typeof DynamicSecretSqlDBSchema>) => {
-    const ssl = providerInputs.ca ? { rejectUnauthorized: false, ca: providerInputs.ca } : undefined;
+    const ssl = providerInputs.ca ? { ca: providerInputs.ca } : undefined;
    const isMsSQLClient = providerInputs.client === SqlProviders.MsSQL;

    const db = knex({