Uploaded image for project: 'Okapi'
  1. Okapi
  2. OKAPI-787

Support SSL connections to Postgres

    XMLWordPrintable

Details

    • CP: sprint 89, CP: sprint 90
    • 2
    • Core: Platform

    Description

      Okapi 2.36.0 is not able to talk to a PostgreSQL server that enforces SSL communication. Although a dedicated VLAN can be used for communication of this type, a single error or bug in the network setup can severely impact query privacy in this scenario, including exposure of database (login) information to a sniffing attacker. Defense in depth -> use everything that secures confidentiality and security of communication and hampers a potential adversary, so even crushing 0day exploits are highly unlikely to compromise the setup.

      All vert.x PostgreSQL clients have SSL/TLS disabled by default:
      https://vertx.io/docs/vertx-mysql-postgresql-client/java/#_configuration
      https://vertx.io/docs/vertx-pg-client/java/#_using_ssl_tls

      It checks the server certificate (sslmode=verify-full) to prevent man-in-the-middle attacks (FOLIO-2412): https://www.postgresql.org/docs/current/libpq-ssl.html#LIBPQ-SSL-PROTECTION

      Enable TLSv1.3 only. If there is a need to support older protocol versions (that are not state of the art and violate GDPR) we can add them later.

      TestRail: Results

        Attachments

          Issue Links

            is blocked by

            Bug - A problem which impairs or prevents the functions of the product. OKAPI-854 Json-configured database user postgres_user not honored

            • P3 - low priority level, item will be considered for inclusion in the next dev cycle
            • Closed
            is cloned by

            New Feature - New feature requests RMB-546 Support TLS/SSL connections to Postgres

            • P2 - normal priority level, must be included in the current development cycle
            • Closed
            is duplicated by

            Task - A task that needs to be done. FOLIO-2406 SSL/TLS, SCRAM-SHA-256, migration to PostgreSQL 10 (or higher)

            • P2 - normal priority level, must be included in the current development cycle
            • Closed
            relates to

            Umbrella - FOLIO-1134 Secure public AWS instances

            • P3 - low priority level, item will be considered for inclusion in the next dev cycle
            • Open

            Task - A task that needs to be done. OKAPI-788 Upgrade to Vert.x 4.0 milestone 4

            • TBD - To be determined
            • Closed

            New Feature - New feature requests OKAPI-792 PostgreSQL SSL CA Certificate configuration option

            • P2 - normal priority level, must be included in the current development cycle
            • Closed

            Task - A task that needs to be done. FOLIO-2412 Clients should verify PostgreSQL SSL/TLS server certificate

            • P2 - normal priority level, must be included in the current development cycle
            • Blocked

            Bug - A problem which impairs or prevents the functions of the product. OKAPI-861 Unit test PostgresHandleTest fails if Docker is unavailable

            • TBD - To be determined
            • Closed

            Bug - A problem which impairs or prevents the functions of the product. OKAPI-888 Test warning: Corrupted STDOUT by directly writing to native stream in forked JVM 1.

            • TBD - To be determined
            • Closed

            Activity

              People

                julianladisch Julian Ladisch
                drexljo Johannes Drexl
                Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved:

                  TestRail: Runs

                    TestRail: Cases