ImportExportTLSMode REQUIRE_FORCE does not have an expected effect
Hi
Vertica 10.1
I have configured all these security features:
SELECT SECURITY_CONFIG_CHECK('NETWORK');
Spread security details:
- EncryptSpreadComm = [vertica]
Spread encryption is enabled
It is now safe to set/change other security knobsData Channel security details:
- DataSSLParams is set
SSL on the data channel is enabledClient-Server network security details:
- EnableSSL is set
- SSLCertificate is set
- SSLPrivateKey is set
Client-Server SSL is enabled
I also did set ImportExportTLSMode parameter to REQUIRE_FORCE, to make sure all the clients who are connecting, that their connection will be encrypted.
show current ImportExportTLSMode;
level | name | setting
----------+---------------------+---------------
DATABASE | ImportExportTLSMode | REQUIRE_FORCE
However, I am able to connect with vsql or with "JDBC Driver" without TLS.
Here I read, that "CONNECT TO VERTICA" can override this parameter **ImportExportTLSMode ** value, so that is why I changed it to "REQUIRE_FORCE"
https://www.vertica.com/docs/10.1.x/HTML/Content/Authoring/AdministratorsGuide/ConfiguringTheDB/SecurityParameters.htm
With vsql, I did try values "disable", "allow", both are connecting without TLS (with "prefer", "require" all good)
vsql -h hostname -U "dbadmin" -w "12345" -m disable
So here you can see from ssl_state column, there is "none"
select user_name, client_hostname, client_type, client_os_user_name, client_authentication_name, ssl_state from v_monitor.sessions;
user_name | client_hostname | client_type | client_os_user_name | client_authentication_name | ssl_state
--------------+------------------+-------------+---------------------+----------------------------+-----------
dbadmin | 127.0.0.1:56764 | vsql | dbadmin | local_trust | Server
ldap_user | XXXXXXX:65300 | JDBC Driver | ldap_user | LDAP2 | None
dbadmin | XXXXXXXX:57230 | vsql | dbadmin | network_passwd | None
When I connect with vsql utility without "-m", then ssl_state is Server.
So seems like this REQUIRE_FORCE does not actually force this TLS while connecting.
Regards
Raul
Comments
ImportExportTLSMode applies to Import/Export between Vertica clusters (CONNECT TO VERTICA,EXPORT TO VERTCA,COPY FROM VERTICA) not to communications between client and cluster.
If you want to restrict an authentication to happen only when connecting to Vertica via TLS, you need to define it like this
CREATE AUTHENTICATION hosthash METHOD 'hash' HOST TLS '0.0.0.0/0';
Hmm, wait a second, here it states, that TLS is the default behaviour.
https://www.vertica.com/docs/10.1.x/HTML/Content/Authoring/SQLReferenceManual/Statements/CREATEAUTHENTICATION.htm
So, by executing:
Under hood this should happen anyway:
I created all my authentication methods without specifying TLS, since I thought it is default.
Regards
Raul
Can you open a support ticket? This will be easier to troubleshoot your setup.