Skip to:

Skip to Jira Navigation
Skip to Side Navigation
Skip to Main Content

FOLIO Jira

Okapi

Software project

Menu

Checklist for Jira Cloud

You're in a company-managed project

Support SSL connections to Postgres

Description

Okapi 2.36.0 is not able to talk to a PostgreSQL server that enforces SSL communication. Although a dedicated VLAN can be used for communication of this type, a single error or bug in the network setup can severely impact query privacy in this scenario, including exposure of database (login) information to a sniffing attacker. Defense in depth -> use everything that secures confidentiality and security of communication and hampers a potential adversary, so even crushing 0day exploits are highly unlikely to compromise the setup.

All vert.x PostgreSQL clients have SSL/TLS disabled by default:
https://vertx.io/docs/vertx-mysql-postgresql-client/java/#_configuration
https://vertx.io/docs/vertx-pg-client/java/#_using_ssl_tls

It checks the server certificate (sslmode=verify-full) to prevent man-in-the-middle attacks (FOLIO-2412): https://www.postgresql.org/docs/current/libpq-ssl.html#LIBPQ-SSL-PROTECTION

Enable TLSv1.3 only. If there is a need to support older protocol versions (that are not state of the art and violate GDPR) we can add them later.

Environment

None

Potential Workaround

None

Linked issues

is blocked by

Json-configured database user postgres_user not honored

Julian Ladisch

is cloned by

Support TLS/SSL connections to Postgres

Julian Ladisch

is duplicated by

SSL/TLS, SCRAM-SHA-256, migration to PostgreSQL 10 (or higher)

relates to

Unit test PostgresHandleTest fails if Docker is unavailable

Adam Dickmeiss

Test warning: Corrupted STDOUT by directly writing to native stream in forked JVM 1.

Adam Dickmeiss

Upgrade to Vert.x 4.0 milestone 4

Adam Dickmeiss

PostgreSQL SSL CA Certificate configuration option

Secure public AWS instances

Clients should verify PostgreSQL SSL/TLS server certificate

Checklist

hide

TestRail: Results

Activity

Show:

Adam DickmeissJanuary 8, 2020 at 10:10 AM
Edited

https://vertx.io/docs/vertx-pg-client/java/ supports SSL connections so this should be easy to add now that Okapi is using it.

Adam DickmeissDecember 21, 2019 at 1:25 PM

Are you able to get any module to use SSL? Such as the RMB based modules?

Johannes DrexlDecember 20, 2019 at 3:12 PM

This is a branch from ticket https://folio-org.atlassian.net/browse/FOLIO-2406

It probably affects a lot of modules as well, but I didn't test that as of now.

Subticket for further hardening security: https://folio-org.atlassian.net/browse/FOLIO-2412

Done

Details
Assignee
Julian Ladisch
Reporter
Johannes Drexl
Labels
platform-backlogpostgressecurity
Priority
P2
Story Points
2
Sprint
None
Development Team
Core: Platform
Fix versions
3.1.0
Affects versions
2.36.0
TestRail: Cases
Open TestRail: Cases
TestRail: Runs
Open TestRail: Runs

Created December 20, 2019 at 3:06 PM

Updated September 11, 2020 at 10:42 AM

Resolved June 12, 2020 at 7:10 AM