Uploaded image for project: 'Okapi'
  1. Okapi
  2. OKAPI-787

Support SSL connections to Postgres

    XMLWordPrintable

Details

    • CP: sprint 89, CP: sprint 90
    • 2
    • Core: Platform

    Description

      Okapi 2.36.0 is not able to talk to a PostgreSQL server that enforces SSL communication. Although a dedicated VLAN can be used for communication of this type, a single error or bug in the network setup can severely impact query privacy in this scenario, including exposure of database (login) information to a sniffing attacker. Defense in depth -> use everything that secures confidentiality and security of communication and hampers a potential adversary, so even crushing 0day exploits are highly unlikely to compromise the setup.

      All vert.x PostgreSQL clients have SSL/TLS disabled by default:
      https://vertx.io/docs/vertx-mysql-postgresql-client/java/#_configuration
      https://vertx.io/docs/vertx-pg-client/java/#_using_ssl_tls

      It checks the server certificate (sslmode=verify-full) to prevent man-in-the-middle attacks (FOLIO-2412): https://www.postgresql.org/docs/current/libpq-ssl.html#LIBPQ-SSL-PROTECTION

      Enable TLSv1.3 only. If there is a need to support older protocol versions (that are not state of the art and violate GDPR) we can add them later.

      TestRail: Results

        Attachments

          Issue Links

            Activity

              People

                julianladisch Julian Ladisch
                drexljo Johannes Drexl
                Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved:

                  TestRail: Runs

                    TestRail: Cases