<!-- 
RSS generated by JIRA (1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d) at Thu Feb 08 23:20:27 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary add field=key&field=summary to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>FOLIO Jira</title>
    <link>https://folio-org.atlassian.net</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>1001.0.0-SNAPSHOT</version>
        <build-number>100246</build-number>
        <build-date>07-02-2024</build-date>
    </build-info>

<item>
            <title>[FOLIO-2412] Clients should verify PostgreSQL SSL/TLS server certificate</title>
                <link>https://folio-org.atlassian.net/browse/FOLIO-2412</link>
                <project id="10290" key="FOLIO">FOLIO</project>
                    <description>&lt;p&gt;Enable SSL server certificate pinning when upgrading. PostgreSQL will by default allow connections to servers with unknown/self-signed certificates and doesn&apos;t bother about server verification:&lt;br/&gt;
&lt;a href=&quot;https://www.postgresql.org/docs/current/libpq-ssl.html#LIBQ-SSL-CERTIFICATES&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://www.postgresql.org/docs/current/libpq-ssl.html#LIBQ-SSL-CERTIFICATES&lt;/a&gt;&lt;br/&gt;
Introduce a parameter to make certificate verification enforceable or better make it mandatory.&lt;br/&gt;
There are several options: &lt;a href=&quot;https://vertx.io/docs/vertx-core/java/#_enabling_ssl_tls_on_the_client&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://vertx.io/docs/vertx-core/java/#_enabling_ssl_tls_on_the_client&lt;/a&gt;&lt;/p&gt;
&lt;ul&gt;
	&lt;li&gt;&lt;tt&gt;setHostnameVerificationAlgorithm(&quot;HTTPS&quot;)&lt;/tt&gt;&lt;/li&gt;
	&lt;li&gt;&lt;tt&gt;new JksOptions().setValue(myTrustStoreAsABuffer)&lt;/tt&gt; for truststore.jks&lt;/li&gt;
	&lt;li&gt;&lt;tt&gt;setPfxTrustOptions(new PfxOptions().setValue(myTrustStoreAsABuffer)&lt;/tt&gt; for truststore.pfx&lt;/li&gt;
	&lt;li&gt;&lt;tt&gt;setPemTrustOptions(new PemTrustOptions().addCertValue(myTrustStoreAsABuffer)&lt;/tt&gt; for ca-cert.pem&lt;/li&gt;
&lt;/ul&gt;


&lt;p&gt;For each module and for Okapi ensure that it reads the DB_SERVER_PEM environment variable (Okapi: postgres_server_pem), and if this variable is defined then all connections to PostgreSQL&lt;/p&gt;
&lt;ul&gt;
	&lt;li&gt;get rejected if unencrypted&lt;/li&gt;
	&lt;li&gt;get rejected if TLS versions lower than TLSv1.3&lt;/li&gt;
	&lt;li&gt;get rejected if the DB_SERVER_PEM certificate doesn&apos;t match&lt;/li&gt;
&lt;/ul&gt;


&lt;p&gt;For Okapi this is unit tested in &lt;a href=&quot;https://github.com/folio-org/okapi/blob/v4.14.0/okapi-core/src/test/java/org/folio/okapi/service/impl/PostgresHandleTest.java#L106-L129&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://github.com/folio-org/okapi/blob/v4.14.0/okapi-core/src/test/java/org/folio/okapi/service/impl/PostgresHandleTest.java#L106-L129&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;For RMB this is unit tested in &lt;a href=&quot;https://github.com/folio-org/raml-module-builder/blob/master/domain-models-runtime/src/test/java/org/folio/rest/persist/PostgresClientSslTest.java&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://github.com/folio-org/raml-module-builder/blob/master/domain-models-runtime/src/test/java/org/folio/rest/persist/PostgresClientSslTest.java&lt;/a&gt; and is available for RMB 34.0.0 (to be released).&lt;/p&gt;

&lt;p&gt;For folio-vertx-lib this partly unit tested in &lt;a href=&quot;https://github.com/folio-org/folio-vertx-lib/blob/v1.1.0/core/src/test/java/org/folio/tlib/postgres/TenantPgPoolTest.java#L203-L218&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://github.com/folio-org/folio-vertx-lib/blob/v1.1.0/core/src/test/java/org/folio/tlib/postgres/TenantPgPoolTest.java#L203-L218&lt;/a&gt; , a unit test for the DB_SERVER_PEM env variable is missing.&lt;/p&gt;

&lt;p&gt;For Spring way to be investigated.&lt;/p&gt;

&lt;p&gt;For ERM modules (Grails based) to be investigated.&lt;/p&gt;</description>
                <environment></environment>
        <key id="79829">FOLIO-2412</key>
            <summary>Clients should verify PostgreSQL SSL/TLS server certificate</summary>
                <type id="10003" iconUrl="https://folio-org.atlassian.net/rest/api/2/universal_avatar/view/type/issuetype/avatar/10318?size=medium">Task</type>
                                            <priority id="10001" iconUrl="https://dev.folio.org/assets/jira-priority/jira-p2.svg">P2</priority>
                        <status id="10003" iconUrl="https://folio-org.atlassian.net/images/icons/statuses/generic.png" description="The issue cannot be worked on because it is blocked by other issues. (Migrated on 4 Feb 2024 13:41 UTC)">Blocked</status>
                    <statusCategory id="2" key="new" colorName="blue-gray"/>
                                    <resolution id="-1">Unresolved</resolution>
                                                        <assignee accountid="-1">Unassigned</assignee>
                                                                <reporter accountid="712020:3ea0f137-0f2e-4b09-91f9-bb66fa7c98e5">Johannes Drexl</reporter>
                                    <labels>
                            <label>platform-backlog</label>
                            <label>postgres</label>
                            <label>security</label>
                            <label>security-reviewed</label>
                    </labels>
                <created>Fri, 20 Dec 2019 15:10:17 +0000</created>
                <updated>Sat, 28 May 2022 21:44:00 +0000</updated>
                                                                                <due></due>
                            <votes>0</votes>
                                    <watches>3</watches>
                                                                <comments>
                                                            <comment id="190261" author="712020:3ea0f137-0f2e-4b09-91f9-bb66fa7c98e5" created="Fri, 20 Dec 2019 15:16:54 +0000"  >&lt;p&gt;This is a Subtask for ticket &lt;a href=&quot;https://folio-org.atlassian.net/browse/OKAPI-787&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://folio-org.atlassian.net/browse/OKAPI-787&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;It will affect communication between Okapi and the modules too when enabling SSL there.&lt;/p&gt;</comment>
                                                            <comment id="190264" author="5ee89462f7aa140abd82d11d" created="Fri, 20 Dec 2019 15:47:01 +0000"  >&lt;p&gt;Which PostgreSQL client doesn&apos;t check the PostgreSQL server certificate?&lt;br/&gt;
The vertx-mysql-postgresql-client used by Okapi? &lt;a href=&quot;https://github.com/folio-org/okapi/blob/v2.35.2/okapi-core/pom.xml#L83&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://github.com/folio-org/okapi/blob/v2.35.2/okapi-core/pom.xml#L83&lt;/a&gt;&lt;br/&gt;
The vertx-mysql-postgresql-client-jasync used by modules that use RAML Module Builder? &lt;a href=&quot;https://github.com/folio-org/raml-module-builder/blob/master/domain-models-runtime/pom.xml#L142&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://github.com/folio-org/raml-module-builder/blob/master/domain-models-runtime/pom.xml#L142&lt;/a&gt;&lt;/p&gt;</comment>
                                                            <comment id="190268" author="712020:3ea0f137-0f2e-4b09-91f9-bb66fa7c98e5" created="Wed, 8 Jan 2020 09:56:43 +0000"  >&lt;p&gt;The PostgreSQL system client doesn&apos;t check certificates. Okapi doesn&apos;t even support SSL. &lt;/p&gt;</comment>
                                                            <comment id="190271" author="5cf6c546b87c300f36eb7b9a" created="Thu, 14 Oct 2021 15:08:14 +0000"  >&lt;p&gt;Discussed with CP team and the thought is that &lt;a href=&quot;https://folio-org.atlassian.net/browse/RMB-546&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://folio-org.atlassian.net/browse/RMB-546&lt;/a&gt;&#160;encompasses this.&#160; We bumped that story to P2&lt;/p&gt;</comment>
                    </comments>
                <issuelinks>
                            <issuelinktype id="10000">
                    <name>Blocks</name>
                                                                <inwardlinks description="is blocked by">
                                        <issuelink>
            <issuekey id="35765">FOLSPRINGS-55</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="39149">VERTXLIB-20</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="43053">ERM-2186</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="54132">OKAPI-792</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="57236">RMB-547</issuekey>
        </issuelink>
                            </inwardlinks>
                                    </issuelinktype>
                            <issuelinktype id="10002">
                    <name>Duplicate</name>
                                                                <inwardlinks description="is duplicated by">
                                        <issuelink>
            <issuekey id="81540">FOLIO-2406</issuekey>
        </issuelink>
                            </inwardlinks>
                                    </issuelinktype>
                            <issuelinktype id="10003">
                    <name>Relates</name>
                                            <outwardlinks description="relates to">
                                        <issuelink>
            <issuekey id="54128">OKAPI-787</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="57235">RMB-546</issuekey>
        </issuelink>
                            </outwardlinks>
                                                        </issuelinktype>
                    </issuelinks>
                <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                <customfield id="customfield_10000" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummarycf">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10057" key="com.atlassian.jira.plugin.system.customfieldtypes:select">
                        <customfieldname>Development Team</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10144"><![CDATA[Core: Platform]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_10019" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>0|i00jjj:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_10020" key="com.pyxis.greenhopper.jira:gh-sprint">
                        <customfieldname>Sprint</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_10024" key="com.atlassian.jira.ext.charting:firstresponsedate">
                        <customfieldname>[CHART] Date of First Response</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>Fri, 20 Dec 2019 15:47:01 +0000</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                </customfields>
    </item>
</channel>
</rss>