search

FirebirdSQL / firebird

Firebird server, client and tools
https://www.firebirdsql.org/
1.26k stars 216 forks source link

Use SSL/TLS support for both encryption and user authentication [CORE3251] #3619

Closed firebird-automations closed 11 years ago

firebird-automations commented 13 years ago

Submitted by: Tony Whyman (twhyman)

Votes: 6

Firebird has inherited a low security environment from Interbase. There is no means to encrypt connections and client authentication uses weak password based authentication. SSL/TLS could be used to improve both areas. Four levels of use are proposed, controlled through the configuration file and/or on a per user basis:

1. No SSL/TLS i.e. the current situation

2. SSL/TLS used to authenticate the server to the client and encrypt the subsequent connection.This is the typical https mode of use and makes use of X.509 certificate based authentication. A PKI is required. However, this does not have to be a paid for service and in most cases a local PKI based on OpenSSL should suffice.

3. SSL/TLS is additionally used to authenticate a client to the server. The client certificate must be signed by a Certification Authority recognised by the client.

4. In addition to authenticating the client, the common name component of the client certificate is used as the "username" and no password is required. This provides strong certificate based authentication of the client.

Most, if not all, of the above functionality already exists in external libraries and is used in ways, similar to the above proposal, by projects such as Sendmail, Dovecot, MySQL, Apache, Racoon, etc.

firebird-automations commented 13 years ago
Modified by: @AlexPeshkoff assignee: Alexander Peshkov \[ alexpeshkoff \]
firebird-automations commented 11 years ago

Commented by: @AlexPeshkoff

This issue is marked as 'Wont Fix' due to the only one reason - we have authentication and encyption plugins support in FB3. Default SRP authentication plugin appears to be very good from security POV (20 byte passwords + protection from man in the middle attack), moreover it produces unique cryptographically strong encryption keys for aRC4 network crypt plugin. But certainly everyone who wants another authentication and/or encryption is free to write own plugins.

firebird-automations commented 11 years ago
Modified by: @AlexPeshkoff status: Open \[ 1 \] =\> Resolved \[ 5 \] resolution: Won't Fix \[ 2 \] Fix Version: 3\.0 Alpha 1 \[ 10331 \]
firebird-automations commented 11 years ago
Modified by: @pcisar status: Resolved \[ 5 \] =\> Closed \[ 6 \]