Comdb2 can be configured to secure network traffic with Transport Layer Security (TLS). TLS, which is the successor to SSL, offers stronger encryption than SSL. TLS also provides identity verification using X509 standard. Therefore Comdb2 uses TLS protocol only.

In order to configure SSL, OpenSSL run-times are required on both clients and servers.

Basic SSL Configuration

The server needs an OpenSSL key pair in PEM format to start in SSL mode. By default, the server searches server.crt and server.key under the data directory for server certificate and key, respectively. Alternatively, You could specify the paths to these files by adding the following directives in the LRL:

ssl_cert /path/to/certificate
ssl_key /path/to/key

For security reasons, the server will reject the key and fail to start if the key can be read/written/executed by other users. You could use the following command to make the key read only by the owner:

chmod 400 <key>

If the key has a passphrase, the server will prompt for the passphrase and will not proceed until the passphrase is entered.

Comdb2 accepts both SSL and plaintext connections when running in the default SSL mode. To enforce SSL-only connections from clients, you would change SSL mode to REQUIRE in the LRL:

ssl_client_mode REQUIRE

The client library libcdb2api automatically chooses SSL or plaintext based on the server configuration: it uses SSL if SSL is required by the server, and uses plaintext otherwise.

Using Secure Connections to Prevent Network Attacks

SSL offers protection against two types of network attacks: Eavesdropping and Man-in-the-middle attacks.

Protecting the Connections against Eavesdropping

With an unencrypted connection, a third party with access to the network can examine the traffic and inspect the data. Such attacks are called eavesdropping. To prevent eavesdropping, you would configure libcdb2api to always use SSL by adding the following in comdb2db.cfg or in the database configuration file:

ssl_mode REQUIRE

If the server supports SSL, SSL connections will be established. Otherwise, libcdb2api will not attempt to connect.

Protecting the Connections against Man-in-the-middle Attacks

Even with an encrypted connection, a third party with access to the network can intercept, modify and relay messages between the client and server and make them think that they are talking to each other securely. Such attacks are called Man-in-the-middle (MITM) attacks (also known as replay attacks or active eavesdropping). To prevent MITM, the client needs to verify server identity. To do it, you would have a file which contains certificates of the certificate authorities (CA) you trust, and a certificate revocation list (CRL) if available, and add them to comdb2db.cfg or the database configuration file:

ssl_ca /path/to/ca/certificate
ssl_crl /path/to/crl

The client will disconnect if the server certificate is not signed by any CA in the trusted CA certificate file, or has been revoked.

Authenticating the Client to the Server

The server can also be configured to verify client identities. By default, the server searches root.crt and root.crl under the data directory for the server CA certificate file and CRL, respectively. Alternatively you could specify the paths to the CA certificate and CRL in the LRL:

ssl_ca /path/to/ca/certificates
ssl_crl /path/to/crl

On the client side, you would specify the paths to the client key pair by adding the following to comdb2db.cfg or the database configuration file:

ssl_cert /path/to/certificate
ssl_key  /path/to/key

If a client certificate is present, it will be verified against the CA certificates. The connection will be rejected if the server fails to verify the client certificate.

To always require client certificates, you would change SSL mode in the LRL:

ssl_client_mode VERIFY_CA

Now if a client certificate is not present, the connection will be rejected as well.

Host Name Verification

If the certificates are issued by a public certificate authority, you might also want to enable host name validation by changing SSL mode in the LRL:

ssl_client_mode VERIFY_HOSTNAME

If the client host name mismatches the Subject Alternative Names (SAN), or the Common Name (CN) if no SAN is present in the client certificate, the connection will be rejected by the server as well.

Database Name Verification

In addition to host name verification, Comdb2 offers database name verification where the client certificate must match the database name in order to proceed. This is particularly useful in a multi-user system where a single host is shared among users. To enable it, you would change the SSL mode and specify what field is used to verify the database name. For instance,

ssl_client_mode VERIFY_DBNAME
ssl_dbname_field host

If the host field in the client certificate does not match the database name, the connection will be rejected by the server.

Protecting Intra-Cluster Communication

If the database cluster is in an uncontrolled environment where intra-cluster network attacks may occur, you could encrypt the communication between the master and replicants by changing replicant SSL mode and bouncing on all nodes:

ssl_replicant_mode REQUIRE

To perform both intra-cluster encryption and identity verification, you would change replicant SSL mode to VERIFY_CA and bounce on all nodes:

ssl_replicant_mode VERIFY_CA

The nodes will verify each other’s certificate against their own trusted CA file. Nodes that fail the certificate verification are refused to join the cluster.

If the certificates are issued by a public certificate authority, you might want to enable host name validation by changing the replicant SSL mode to VERIFY_HOSTNAME. Nodes whose host names mismatch SANs or CN embedded in their certificates are refused to join the cluster.

Server SSL Configuration Summary

LRL Directive Description Default Value
ssl_client_mode mode Can be one of ALLOW, REQUIRE, VERIFY_CA, VERIFY_HOSTNAME, VERIFY_DBNAME, PREFER, PREFER_VERIFY_CA, PREFER_VERIFY_HOSTNAME and PREFER_VERIFY_DBNAME ALLOW
ssl_replicant_mode mode Can be one of ALLOW, REQUIRE, VERIFY_CA, VERIFY_HOSTNAME and VERIFY_DBNAME ALLOW
ssl_cert_path path Directory containing the server certificate files. Comdb2 searches server.crt, server.key, root.crt and root.crl for the server certificate, key, trusted CAs and CRL respectively The data directory
ssl_cert file Path to the certificate <ssl_cert_path>/server.crt
ssl_key file Path to the key <ssl_cert_path>/server.key
ssl_ca file Path to the trusted CA certificates <ssl_cert_path>/root.crt
ssl_crl file Path to the CRL <ssl_cert_path>/root.crl
ssl_cipher_suites string list of accepted ciphers HIGH:!aNULL:!eNULL
ssl_min_tls_ver version_number Minimum client TLS version 1.0

Client SSL Configuration Summary

Option Description Default Value
ssl_mode mode Can be one of ALLOW, REQUIRE, VERIFY_CA, VERIFY_HOSTNAME, VERIFY_DBNAME, PREFER, PREFER_VERIFY_CA, PREFER_VERIFY_HOSTNAME and PREFER_VERIFY_DBNAME ALLOW
ssl_cert_path path Directory containing client certificate files. libcdb2api searches client.crt, client.key, root.crt and root.crl for the client certificate, key, trusted CAs and CRL respectively N/A
ssl_cert file Path to the client certificate <ssl_cert_path>/client.crt
ssl_key file Path to the client key <ssl_cert_path>/client.key
ssl_ca file Path to the trusted CA certificates. <ssl_cert_path>/root.crt
ssl_crl file Path to the CRL <ssl_cert_path>/root.crl
ssl_session_cache 1/0 Enable SSL client-side session cache. 0
ssl_min_tls_ver version_number Minimum server TLS version 1.0

SSL Mode Summary

Mode Encryption MITM Overhead
ALLOW Maybe Yes SSL negotiation1 + TLS protocol overhead if the peer requires SSL. No overhead otherwise.
REQUIRE Yes Yes SSL negotiation1 + TLS protocol overhead
VERIFY_CA Yes Maybe if signed by 3rd party CA. No if self-signed or signed by a local CA. SSL negotiation1 + TLS protocol overhead + certificate verification
VERIFY_HOSTNAME Yes No SSL negotiation1 + TLS protocol overhead + certificate verification + host name validation
VERIFY_DBNAME Yes No SSL negotiation1 + TLS protocol overhead + certificate verification + host name validation + database name validation
PREFER Maybe Yes Behaves like REQUIRE if peer allows SSL; behaves like ALLOW otherwise.
PREFER_VERIFY_CA Maybe Yes Behaves LIKE VERIFY_CA if peer allows SSL; behaves like ALLOW otherwise.
PREFER_VERIFY_HOSTNAME Maybe Yes Behaves LIKE VERIFY_HOSTNAME if peer allows SSL; behaves like ALLOW otherwise.
PREFER_VERIFY_DBNAME Maybe Yes Behaves LIKE VERIFY_DBNAME if peer allows SSL; behaves like ALLOW otherwise.

[1]: In order to establish an SSL connection, the client and the server need to negotiate over the plaintext connection before upgrading to SSL. This happens only once for each connection establishment.