We're Moving!

The Vertica Forum is moving to a new OpenText Analytics Database (Vertica) Community.

Join us there to post discussion topics, learn about

product releases, share tips, access the blog, and much more.

Create My New Community Account Now


Different TLS default behaviour for JDBC, ODBC and other drivers — Vertica Forum

Different TLS default behaviour for JDBC, ODBC and other drivers

Sergey_Cherepan_1Sergey_Cherepan_1 ✭✭✭
in General Discussion

Hi,

Checking sessions system view, all ODBC connections are reporting SSL_state = Server, TLS_version=TLSv1.2. All JDBC connections reports SSL_state = None, and empty string for TLS_version.

All ODBC connections are from clients v12.0 and above, while JDBC connections are from v6 to 24.

It appears, ODBC driver by default behave opportunistically: if Server support TLS, it is using TLS, otherwise it does not use TLS.

JDBC driver, require special parameter in JDBC URL - tlsmode=require. Then it start using TLS, otherwise it is plain text.

That is "grossly" incorrect behaviour of JDBC driver, it should behave same way as ODBC driver: try to use TLS by default, and fallback to plain text if not possible.

Checking other drivers, most recent versions:

vsql, ODBC, OLE DB Driver, vsql and vertica-sql-go are by default doing TLS.

JDBC, vertica-python, Node.js are doing plain text by default.

"vertica connect" - CONNECT TO VERTICA - is doing TLS by default. Technically, it is not a client driver.

Please ask client team to review default TLS behaviour for JDBC, vertica-python, Node.js drivers. They should behave same as ODBC and other good drivers - by default try to use TLS, and if not possible, fallback to plain text. Current behaviour - always use plain text by default - is "not good".

Other question - I can see accidental vsql session that are not using TLS, for no apparent reasons - there are millions of vsql sessions and 0.0003% are non-TLS. I tend to think connections are not using TLS because of networking problems at time of establishing connection (???). Typically non-TLS vsql connections happens in short periods of time.

Any way I can force all client connections to use TLS for network transfer? Rolling out certificates to clients is not feasible, client authentication will not use TLS.

Thank you
Sergey

Answers

  • SruthiASruthiA Administrator
    edited June 2024

    @Sergey_Cherepan_1 : There is a new feature which is being worked in which will change the default tlsmode to prefer for JDBC driver in future.

  • SergeBSergeB - Select Field - Employee

    @Sergey_Cherepan_1 Did you configure your authentication to only allow TLS?
    for instance
    CREATE AUTHENTICATION v_ldap METHOD 'ldap' HOST TLS '10.0.0.0/23';
    Would also allow TLS connections from specified host. A plaintext connection attempt would fail.

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Format
SpoilerCodeQuote
Heading 2Heading 1
Emoji
:):D:(;):/:o:s:p:'(:|B):#:*<3o:)>:)
Url
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file
Home General DiscussionComment As ...