Done
Details
Assignee
Julian LadischJulian LadischReporter
Johannes DrexlJohannes DrexlPriority
P2Story Points
2Sprint
NoneDevelopment Team
Core: PlatformFix versions
Affects versions
TestRail: Cases
Open TestRail: CasesTestRail: Runs
Open TestRail: Runs
Details
Details
Assignee
Julian Ladisch
Julian LadischReporter
Johannes Drexl
Johannes DrexlPriority
P2Story Points
2
Sprint
None
Development Team
Core: Platform
Fix versions
Affects versions
TestRail: Cases
Open TestRail: Cases
TestRail: Runs
Open TestRail: Runs
Created December 20, 2019 at 3:06 PM
Updated September 11, 2020 at 10:42 AM
Resolved June 12, 2020 at 7:10 AM
Okapi 2.36.0 is not able to talk to a PostgreSQL server that enforces SSL communication. Although a dedicated VLAN can be used for communication of this type, a single error or bug in the network setup can severely impact query privacy in this scenario, including exposure of database (login) information to a sniffing attacker. Defense in depth -> use everything that secures confidentiality and security of communication and hampers a potential adversary, so even crushing 0day exploits are highly unlikely to compromise the setup.
All vert.x PostgreSQL clients have SSL/TLS disabled by default:
https://vertx.io/docs/vertx-mysql-postgresql-client/java/#_configuration
https://vertx.io/docs/vertx-pg-client/java/#_using_ssl_tls
It checks the server certificate (sslmode=verify-full) to prevent man-in-the-middle attacks (FOLIO-2412): https://www.postgresql.org/docs/current/libpq-ssl.html#LIBPQ-SSL-PROTECTION
Enable TLSv1.3 only. If there is a need to support older protocol versions (that are not state of the art and violate GDPR) we can add them later.