Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use SSL/TLS support for both encryption and user authentication [CORE3251] #3619

Closed
firebird-automations opened this issue Nov 19, 2010 · 4 comments

Comments

@firebird-automations
Copy link
Collaborator

Submitted by: Tony Whyman (twhyman)

Votes: 6

Firebird has inherited a low security environment from Interbase. There is no means to encrypt connections and client authentication uses weak password based authentication. SSL/TLS could be used to improve both areas. Four levels of use are proposed, controlled through the configuration file and/or on a per user basis:

1. No SSL/TLS i.e. the current situation

2. SSL/TLS used to authenticate the server to the client and encrypt the subsequent connection.This is the typical https mode of use and makes use of X.509 certificate based authentication. A PKI is required. However, this does not have to be a paid for service and in most cases a local PKI based on OpenSSL should suffice.

3. SSL/TLS is additionally used to authenticate a client to the server. The client certificate must be signed by a Certification Authority recognised by the client.

4. In addition to authenticating the client, the common name component of the client certificate is used as the "username" and no password is required. This provides strong certificate based authentication of the client.

Most, if not all, of the above functionality already exists in external libraries and is used in ways, similar to the above proposal, by projects such as Sendmail, Dovecot, MySQL, Apache, Racoon, etc.

@firebird-automations
Copy link
Collaborator Author

Modified by: @AlexPeshkoff

assignee: Alexander Peshkov [ alexpeshkoff ]

@firebird-automations
Copy link
Collaborator Author

Commented by: @AlexPeshkoff

This issue is marked as 'Wont Fix' due to the only one reason - we have authentication and encyption plugins support in FB3. Default SRP authentication plugin appears to be very good from security POV (20 byte passwords + protection from man in the middle attack), moreover it produces unique cryptographically strong encryption keys for aRC4 network crypt plugin. But certainly everyone who wants another authentication and/or encryption is free to write own plugins.

@firebird-automations
Copy link
Collaborator Author

Modified by: @AlexPeshkoff

status: Open [ 1 ] => Resolved [ 5 ]

resolution: Won't Fix [ 2 ]

Fix Version: 3.0 Alpha 1 [ 10331 ]

@firebird-automations
Copy link
Collaborator Author

Modified by: @pcisar

status: Resolved [ 5 ] => Closed [ 6 ]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants