[FOLIO-2412] Clients should verify PostgreSQL SSL/TLS server certificate Created: 20/Dec/19 Updated: 28/May/22 |
|
| Status: | Blocked |
| Project: | FOLIO |
| Components: | None |
| Affects versions: | None |
| Fix versions: | None |
| Type: | Task | Priority: | P2 |
| Reporter: | Johannes Drexl | Assignee: | Unassigned |
| Resolution: | Unresolved | Votes: | 0 |
| Labels: | platform-backlog, postgres, security, security-reviewed | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original estimate: | Not Specified | ||
| Issue links: |
|
||||||||||||||||||||||||||||||||||||||||||||
| Sprint: | |||||||||||||||||||||||||||||||||||||||||||||
| Development Team: | Core: Platform | ||||||||||||||||||||||||||||||||||||||||||||
| Description |
|
Enable SSL server certificate pinning when upgrading. PostgreSQL will by default allow connections to servers with unknown/self-signed certificates and doesn't bother about server verification:
For each module and for Okapi ensure that it reads the DB_SERVER_PEM environment variable (Okapi: postgres_server_pem), and if this variable is defined then all connections to PostgreSQL
For Okapi this is unit tested in https://github.com/folio-org/okapi/blob/v4.14.0/okapi-core/src/test/java/org/folio/okapi/service/impl/PostgresHandleTest.java#L106-L129 For RMB this is unit tested in https://github.com/folio-org/raml-module-builder/blob/master/domain-models-runtime/src/test/java/org/folio/rest/persist/PostgresClientSslTest.java and is available for RMB 34.0.0 (to be released). For folio-vertx-lib this partly unit tested in https://github.com/folio-org/folio-vertx-lib/blob/v1.1.0/core/src/test/java/org/folio/tlib/postgres/TenantPgPoolTest.java#L203-L218 , a unit test for the DB_SERVER_PEM env variable is missing. For Spring way to be investigated. For ERM modules (Grails based) to be investigated. |
| Comments |
| Comment by Johannes Drexl [ 20/Dec/19 ] |
|
This is a Subtask for ticket https://folio-org.atlassian.net/browse/OKAPI-787 It will affect communication between Okapi and the modules too when enabling SSL there. |
| Comment by Julian Ladisch [ 20/Dec/19 ] |
|
Which PostgreSQL client doesn't check the PostgreSQL server certificate? |
| Comment by Johannes Drexl [ 08/Jan/20 ] |
|
The PostgreSQL system client doesn't check certificates. Okapi doesn't even support SSL. |
| Comment by Craig McNally [ 14/Oct/21 ] |
|
Discussed with CP team and the thought is that https://folio-org.atlassian.net/browse/RMB-546 encompasses this. We bumped that story to P2 |