Firebird has inherited a low security environment from Interbase. There is no means to encrypt connections and client authentication uses weak password based authentication. SSL/TLS could be used to improve both areas. Four levels of use are proposed, controlled through the configuration file and/or on a per user basis:
1. No SSL/TLS i.e. the current situation
2. SSL/TLS used to authenticate the server to the client and encrypt the subsequent connection.This is the typical https mode of use and makes use of X.509 certificate based authentication. A PKI is required. However, this does not have to be a paid for service and in most cases a local PKI based on OpenSSL should suffice.
3. SSL/TLS is additionally used to authenticate a client to the server. The client certificate must be signed by a Certification Authority recognised by the client.
4. In addition to authenticating the client, the common name component of the client certificate is used as the "username" and no password is required. This provides strong certificate based authentication of the client.
Most, if not all, of the above functionality already exists in external libraries and is used in ways, similar to the above proposal, by projects such as Sendmail, Dovecot, MySQL, Apache, Racoon, etc.
The text was updated successfully, but these errors were encountered:
This issue is marked as 'Wont Fix' due to the only one reason - we have authentication and encyption plugins support in FB3. Default SRP authentication plugin appears to be very good from security POV (20 byte passwords + protection from man in the middle attack), moreover it produces unique cryptographically strong encryption keys for aRC4 network crypt plugin. But certainly everyone who wants another authentication and/or encryption is free to write own plugins.