ImportExportTLSMode REQUIRE_FORCE does not have an expected effect

raulk89raulk89
edited May 2021 in General Discussion

Hi
Vertica 10.1
I have configured all these security features:

SELECT SECURITY_CONFIG_CHECK('NETWORK');
Spread security details:

  • EncryptSpreadComm = [vertica]
    Spread encryption is enabled
    It is now safe to set/change other security knobs

Data Channel security details:

  • DataSSLParams is set
    SSL on the data channel is enabled

Client-Server network security details:

  • EnableSSL is set
  • SSLCertificate is set
  • SSLPrivateKey is set
    Client-Server SSL is enabled

I also did set ImportExportTLSMode parameter to REQUIRE_FORCE, to make sure all the clients who are connecting, that their connection will be encrypted.

show current ImportExportTLSMode;
level | name | setting
----------+---------------------+---------------
DATABASE | ImportExportTLSMode | REQUIRE_FORCE

However, I am able to connect with vsql or with "JDBC Driver" without TLS.
Here I read, that "CONNECT TO VERTICA" can override this parameter **ImportExportTLSMode ** value, so that is why I changed it to "REQUIRE_FORCE"
https://www.vertica.com/docs/10.1.x/HTML/Content/Authoring/AdministratorsGuide/ConfiguringTheDB/SecurityParameters.htm

With vsql, I did try values "disable", "allow", both are connecting without TLS (with "prefer", "require" all good)

vsql -h hostname -U "dbadmin" -w "12345" -m disable

So here you can see from ssl_state column, there is "none"

select user_name, client_hostname, client_type, client_os_user_name, client_authentication_name, ssl_state from v_monitor.sessions;
user_name | client_hostname | client_type | client_os_user_name | client_authentication_name | ssl_state
--------------+------------------+-------------+---------------------+----------------------------+-----------
dbadmin | 127.0.0.1:56764 | vsql | dbadmin | local_trust | Server
ldap_user | XXXXXXX:65300 | JDBC Driver | ldap_user | LDAP2 | None
dbadmin | XXXXXXXX:57230 | vsql | dbadmin | network_passwd | None

When I connect with vsql utility without "-m", then ssl_state is Server.
So seems like this REQUIRE_FORCE does not actually force this TLS while connecting.
Regards
Raul

Comments

  • SergeBSergeB Employee

    ImportExportTLSMode applies to Import/Export between Vertica clusters (CONNECT TO VERTICA,EXPORT TO VERTCA,COPY FROM VERTICA) not to communications between client and cluster.
    If you want to restrict an authentication to happen only when connecting to Vertica via TLS, you need to define it like this
    CREATE AUTHENTICATION hosthash METHOD 'hash' HOST TLS '0.0.0.0/0';

  • raulk89raulk89
    edited May 2021

    Hmm, wait a second, here it states, that TLS is the default behaviour.
    https://www.vertica.com/docs/10.1.x/HTML/Content/Authoring/SQLReferenceManual/Statements/CREATEAUTHENTICATION.htm

    So, by executing:

    • CREATE AUTHENTICATION hosthash METHOD 'hash' HOST '0.0.0.0/0';

    Under hood this should happen anyway:

    • CREATE AUTHENTICATION hosthash METHOD 'hash' HOST TLS '0.0.0.0/0';

    I created all my authentication methods without specifying TLS, since I thought it is default.

    Regards
    Raul

  • SergeBSergeB Employee

    Can you open a support ticket? This will be easier to troubleshoot your setup.

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file