<!-- 
RSS generated by JIRA (1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d) at Thu Feb 08 23:20:25 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary add field=key&field=summary to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>FOLIO Jira</title>
    <link>https://folio-org.atlassian.net</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>1001.0.0-SNAPSHOT</version>
        <build-number>100246</build-number>
        <build-date>07-02-2024</build-date>
    </build-info>

<item>
            <title>[FOLIO-2406] SSL/TLS, SCRAM-SHA-256, migration to PostgreSQL 10 (or higher)</title>
                <link>https://folio-org.atlassian.net/browse/FOLIO-2406</link>
                <project id="10290" key="FOLIO">FOLIO</project>
                    <description>&lt;p&gt;Okapi and probably all modules are using legacy (though still supported) postgres libraries, which have major drawbacks and sometimes seem to be not correctly implemented anyway.&lt;/p&gt;

&lt;ul class=&quot;alternate&quot; type=&quot;square&quot;&gt;
	&lt;li&gt;Migration to PG10+ will be mandatory in September 2021, because that&apos;s when support for 9.x will be dropped after 5 years of maintenance. Pushing that to the back of the queue will be stressful for the community afterwards, when the deadline draws near, especially with more and more modules being build on legacy functions and more libraries using folio in their production environment.&lt;/li&gt;
&lt;/ul&gt;


&lt;ul class=&quot;alternate&quot; type=&quot;square&quot;&gt;
	&lt;li&gt;SSL not supported&lt;br/&gt;
Okapi 2.36.0 is not able to talk to a PG server that enforces SSL communication. Although a dedicated VLAN can be used for communication of this type, a single error or bug in the network setup can severely impact query privacy in this scenario, including exposure of database (login) information to a sniffing attacker. Defense in depth -&amp;gt; use everything that secures confidentiality and security of communication and hampers a potential adversary, so even crushing 0day exploits are highly unlikely to compromise the setup.&lt;/li&gt;
&lt;/ul&gt;


&lt;ul class=&quot;alternate&quot; type=&quot;square&quot;&gt;
	&lt;li&gt;MD5 mandatory&lt;br/&gt;
MD5 is the only password storage hashing algorithm that is supported by PG 9.x. And it&apos;s legacy, i. e. broken beyond repair and hope. PG 10 introduced SCRAM-SHA-256. Not only is sha256 a stronger and - for the foreseeable future - secure hashing algorithm, it also is salted and bundled with salted challenge response authentication, which doesn&apos;t expose passwords to sniffing parties on the network. Even if database breaches are something that seems like a worst case scenario, exposing passwords due to weak hashes during a breach will put a lot of users under fire, since we all know a lot of people recycle their passwords. SCRAM-SHA-256 won&apos;t be breakable for quite some time (as of current knowledge), and the salting counters rainbow table attacks too. &lt;br/&gt;
There also is the problem that MD5 hashed passwords are incompatible with SCRAM-SHA-256 authentication, so upgrading and using the better algorithm is only possible by resetting all passwords, which is a nightmare in its own right.&lt;/li&gt;
&lt;/ul&gt;


&lt;p&gt;Additional note: Enable SSL server certificate pinning when upgrading&lt;br/&gt;
postgresql will by default allow connections to servers with unknown/self-signed certificates and doesn&apos;t bother about server verification:&lt;br/&gt;
&lt;a href=&quot;https://www.postgresql.org/docs/current/libpq-ssl.html#LIBQ-SSL-CERTIFICATES&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://www.postgresql.org/docs/current/libpq-ssl.html#LIBQ-SSL-CERTIFICATES&lt;/a&gt;&lt;br/&gt;
Introduce a parameter to make certificate verification enforceable or better make it mandatory.&lt;/p&gt;</description>
                <environment></environment>
        <key id="81540">FOLIO-2406</key>
            <summary>SSL/TLS, SCRAM-SHA-256, migration to PostgreSQL 10 (or higher)</summary>
                <type id="10003" iconUrl="https://folio-org.atlassian.net/rest/api/2/universal_avatar/view/type/issuetype/avatar/10318?size=medium">Task</type>
                                            <priority id="10001" iconUrl="https://dev.folio.org/assets/jira-priority/jira-p2.svg">P2</priority>
                        <status id="6" iconUrl="https://folio-org.atlassian.net/images/icons/statuses/closed.png" description="The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.">Closed</status>
                    <statusCategory id="3" key="done" colorName="green"/>
                                    <resolution id="10001">Duplicate</resolution>
                                                        <assignee accountid="-1">Unassigned</assignee>
                                                                <reporter accountid="712020:3ea0f137-0f2e-4b09-91f9-bb66fa7c98e5">Johannes Drexl</reporter>
                                    <labels>
                            <label>postgres</label>
                            <label>privacy</label>
                            <label>security</label>
                    </labels>
                <created>Wed, 18 Dec 2019 19:06:42 +0000</created>
                <updated>Mon, 15 Jun 2020 08:37:16 +0000</updated>
                            <resolved>Fri, 20 Dec 2019 15:35:09 +0000</resolved>
                                                                        <due></due>
                            <votes>0</votes>
                                    <watches>4</watches>
                                                                <comments>
                                                            <comment id="194472" author="5ee89462f7aa140abd82d11d" created="Thu, 19 Dec 2019 23:19:03 +0000"  >&lt;p&gt;Thank you for your report.&lt;/p&gt;

&lt;p&gt;It seems that you&apos;ve combined 4 issues into a single report:&lt;br/&gt;
1. End-of-Life of PostgreSQL 9.x in September 2021.&lt;br/&gt;
2. Okapi has no SSL support for the connection to PostgreSQL.&lt;br/&gt;
3. Missing SCRAM-SHA-256 support (only MD5) for PostgreSQL passwords.&lt;br/&gt;
4. Missing SSL server certificate pinning for the connection to PostgreSQL.&lt;/p&gt;

&lt;p&gt;Can you create a separate Jira issue for each of them so that they can be handled independently?&lt;/p&gt;

&lt;p&gt;Can you check whether 
    &lt;span class=&quot;jira-issue-macro resolved&quot; data-jira-key=&quot;FOLIO-1438&quot; &gt;
                &lt;a href=&quot;https://folio-org.atlassian.net/browse/FOLIO-1438&quot; class=&quot;jira-issue-macro-key issue-link&quot;  title=&quot;Upgrade to PostgreSQL 10&quot; &gt;
            &lt;img class=&quot;icon&quot; src=&quot;https://folio-org.atlassian.net/rest/api/2/universal_avatar/view/type/issuetype/avatar/10318?size=medium&quot; /&gt;
            FOLIO-1438
        &lt;/a&gt;
                                                    &lt;span class=&quot;aui-lozenge aui-lozenge-subtle aui-lozenge-success jira-macro-single-issue-export-pdf&quot;&gt;Closed&lt;/span&gt;
            &lt;/span&gt;
 solves 1. and 3.?&lt;/p&gt;

&lt;p&gt;Can you report 2. against OKAPI project? &lt;a href=&quot;https://folio-org.atlassian.net/projects/OKAPI/issues&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://folio-org.atlassian.net/projects/OKAPI/issues&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;When creating the issue for 4. can you be more specific in which part of FOLIO you noticed this problem (for example mod-inventory-storage, or in Okapi)?&lt;/p&gt;

&lt;p&gt;After creating the separate Jira issues please link 
    &lt;span class=&quot;jira-issue-macro resolved&quot; data-jira-key=&quot;FOLIO-2406&quot; &gt;
                &lt;a href=&quot;https://folio-org.atlassian.net/browse/FOLIO-2406&quot; class=&quot;jira-issue-macro-key issue-link&quot;  title=&quot;SSL/TLS, SCRAM-SHA-256, migration to PostgreSQL 10 (or higher)&quot; &gt;
            &lt;img class=&quot;icon&quot; src=&quot;https://folio-org.atlassian.net/rest/api/2/universal_avatar/view/type/issuetype/avatar/10318?size=medium&quot; /&gt;
            FOLIO-2406
        &lt;/a&gt;
                                                    &lt;span class=&quot;aui-lozenge aui-lozenge-subtle aui-lozenge-success jira-macro-single-issue-export-pdf&quot;&gt;Closed&lt;/span&gt;
            &lt;/span&gt;
 as a duplicate of them and close 
    &lt;span class=&quot;jira-issue-macro resolved&quot; data-jira-key=&quot;FOLIO-2406&quot; &gt;
                &lt;a href=&quot;https://folio-org.atlassian.net/browse/FOLIO-2406&quot; class=&quot;jira-issue-macro-key issue-link&quot;  title=&quot;SSL/TLS, SCRAM-SHA-256, migration to PostgreSQL 10 (or higher)&quot; &gt;
            &lt;img class=&quot;icon&quot; src=&quot;https://folio-org.atlassian.net/rest/api/2/universal_avatar/view/type/issuetype/avatar/10318?size=medium&quot; /&gt;
            FOLIO-2406
        &lt;/a&gt;
                                                    &lt;span class=&quot;aui-lozenge aui-lozenge-subtle aui-lozenge-success jira-macro-single-issue-export-pdf&quot;&gt;Closed&lt;/span&gt;
            &lt;/span&gt;
 as duplicate.&lt;/p&gt;</comment>
                                                            <comment id="194475" author="712020:3ea0f137-0f2e-4b09-91f9-bb66fa7c98e5" created="Fri, 20 Dec 2019 15:31:54 +0000"  >&lt;p&gt;Split into multiple tickets:&lt;/p&gt;

&lt;p&gt;&lt;a href=&quot;https://folio-org.atlassian.net/browse/FOLIO-2410&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://folio-org.atlassian.net/browse/FOLIO-2410&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;a href=&quot;https://folio-org.atlassian.net/browse/OKAPI-787&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://folio-org.atlassian.net/browse/OKAPI-787&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;-&amp;gt; &lt;a href=&quot;https://folio-org.atlassian.net/browse/FOLIO-2412&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://folio-org.atlassian.net/browse/FOLIO-2412&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;a href=&quot;https://folio-org.atlassian.net/browse/FOLIO-2411&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://folio-org.atlassian.net/browse/FOLIO-2411&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Can&apos;t link and close issues, but if &lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=5af5ecdb772036612ff61cf1&quot; class=&quot;user-hover&quot; rel=&quot;5af5ecdb772036612ff61cf1&quot; data-account-id=&quot;5af5ecdb772036612ff61cf1&quot; accountid=&quot;5af5ecdb772036612ff61cf1&quot; rel=&quot;noreferrer&quot;&gt;Hkaplanian&lt;/a&gt; would be so nice to do that for me ��&lt;/p&gt;

&lt;p&gt;As for 
    &lt;span class=&quot;jira-issue-macro resolved&quot; data-jira-key=&quot;FOLIO-1438&quot; &gt;
                &lt;a href=&quot;https://folio-org.atlassian.net/browse/FOLIO-1438&quot; class=&quot;jira-issue-macro-key issue-link&quot;  title=&quot;Upgrade to PostgreSQL 10&quot; &gt;
            &lt;img class=&quot;icon&quot; src=&quot;https://folio-org.atlassian.net/rest/api/2/universal_avatar/view/type/issuetype/avatar/10318?size=medium&quot; /&gt;
            FOLIO-1438
        &lt;/a&gt;
                                                    &lt;span class=&quot;aui-lozenge aui-lozenge-subtle aui-lozenge-success jira-macro-single-issue-export-pdf&quot;&gt;Closed&lt;/span&gt;
            &lt;/span&gt;
 - I&apos;m only able to test that in about 3 weeks, but I&apos;ll try it then.&lt;/p&gt;</comment>
                                                            <comment id="194476" author="5ee89462f7aa140abd82d11d" created="Fri, 20 Dec 2019 15:35:09 +0000"  >&lt;p&gt;Thank you Johannes, I&apos;ve linked them!&lt;/p&gt;</comment>
                    </comments>
                <issuelinks>
                            <issuelinktype id="10002">
                    <name>Duplicate</name>
                                            <outwardlinks description="duplicates">
                                        <issuelink>
            <issuekey id="80856">FOLIO-1438</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="81547">FOLIO-2410</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="54128">OKAPI-787</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="57235">RMB-546</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="81300">FOLIO-2145</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="81297">FOLIO-2144</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="79828">FOLIO-2411</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="79829">FOLIO-2412</issuekey>
        </issuelink>
                            </outwardlinks>
                                                        </issuelinktype>
                    </issuelinks>
                <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                <customfield id="customfield_10000" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummarycf">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_10019" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>0|i00j67:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_10020" key="com.pyxis.greenhopper.jira:gh-sprint">
                        <customfieldname>Sprint</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_10024" key="com.atlassian.jira.ext.charting:firstresponsedate">
                        <customfieldname>[CHART] Date of First Response</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>Thu, 19 Dec 2019 23:19:03 +0000</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10025" key="com.atlassian.jira.ext.charting:timeinstatus">
                        <customfieldname>[CHART] Time in Status</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                    </customfields>
    </item>
</channel>
</rss>