Feature Request: Allow SSL Authentication with Postgres Server, optionally using embedded certificates #17
Comments
|
Note: this project would need to update to Version 1.0.52 of BlueSSLService to take advantage of the updates. |
|
Yes, it would be good to support authentication of the server SSL certificate. The BlueSSLService API and implementation is quite platform specific in this area. Rather than having PostgresClientKit cover the BlueSSLService API to configure SSL, I suggest allowing the caller to initialize and configure the SSLService.Configuration instance. Specifically, I suggest adding the following to PostgresClientKit.ConnectionConfiguration:
Would this address your requirements? |
|
That's a good idea. That would allow any new features added to BlueSSL to be used without changing the API to PostgresClientKit. It also may address #19. |
|
Available in v1.1.0. |
pitfield
changed the title
|
One small note: Line 139 of Connection.swift:
can throw a SSLError though the comments indicate the function only throws a PostgresError. You may want to surround with do/try/catch and create a new enum type to throw
|
|
Yes indeed, thanks! |
Although SSL can be enabled to encrypt the connection to the server, the server is not authenticated. The client is vulnerable to a Man-In-The-Middle attack, where it unknowingly connects to a fake server impersonating the real server. Thus it is good practice for the client to authenticate the server while establishing the SSL connection.
I propose two new features:
First feature: allow the client to authenticate the server. Currently the SSL service uses a initializer:
SSLService.Configuration()which by default allows self-signed server certificates. However by setting the self-signed parameter to false, the server must provide a certificate that
can be validated by the client using the client's root certificates.
Second feature: often times servers are using certificates that don't establish a chain of trust to a root certificate on the client. This is true if you are using a self-signed
certificate on a server, for instance. You can install those public certificates on the client, but this is an onerous process and must be done by the user on iOS. A more secure approach
is to embed the public server certificate in the client and authenticate directly.
I have worked on a new feature for BlueSSLService that has recently been merged into the main trunk. This change allows the client to store several public certificates as .der files
to be used to authenticate the server. See pull request here for details:
Kitura/BlueSSLService#81
I request that the new SSL feature be available in this library, so the Postgres client can authenticate a server using embedded certificates.
In essence, the change to this library would be to use the following init method for SSLService, supplying the parameters to the init method from new fields in the ConnectionConfiguration.
public init(withCipherSuite cipherSuite: String? = nil, clientAllowsSelfSignedCertificates: Bool = true, embeddedServerCertPaths : [URL]? = nil)Note: The embeddedServerCertPaths feature is unavailable (parameter ignored) on MacOS versions less than 10.14 and iOS < 12.0
It is easy to embed certificates into the client. Simply add the .der file to the Xcode project and load them this way:
let path = Bundle.main.url(forResource: "MyServerCert", withExtension: ".der")You can load multiple certificates if the client is connecting to several servers.
The text was updated successfully, but these errors were encountered: