Page MenuHomePhabricator
Create Task
Maniphest T335617

On postgresql $wgDBssl should make sslmode be 'verify-full' not 'required'
Open, MediumPublicBUG REPORT
Actions

Description

Postgresql has a number of sslmodes. Currently if the user sets $wgDBssl = true; this sets the mode to 'required'. Confusingly, this means force a TLS connection but do not do any certificate validation. This is pretty useless from a security perspective (Can be defeated by an active attacker), and has essentially the same security properties as "prefer" which is what you get with $wgDBssl = false;

I think its safe to assume that anyone setting $wgDBssl = true; wants actual validated SSL connection. I think we should make sslmode be 'verify-full' if $wgDBssl = true;. verify-full essentially means follow normal TLS rules for certificates. This may be a breaking change for those relying on the old behaviour.

See https://www.postgresql.org/docs/current/libpq-ssl.html#LIBPQ-SSL-SSLMODE-STATEMENTS for what all the values mean.

Event Timeline

Bawolff created this task.Apr 29 2023, 4:04 AM
Restricted Application added a project: Performance-Team. · View Herald TranscriptApr 29 2023, 4:04 AM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Bawolff added a comment.Apr 29 2023, 4:22 AM

Actually, i just read:

For backwards compatibility with earlier versions of PostgreSQL, if a root CA file exists, the behavior of sslmode=require will be the same as that of verify-ca, meaning the server certificate is validated against the CA. Relying on this behavior is discouraged, and applications that need certificate validation should always use verify-ca or verify-full.

So i guess 'require' isn't as crazy as it sounds. Still seems weird, and only validating the root CA is correct sounds like a recipe for subtle security issues.

Krinkle triaged this task as Medium priority.May 1 2023, 7:17 PM
Krinkle moved this task from Untriaged to Rdbms: Non-MySQL support on the MediaWiki-libs-Rdbms board.
Krinkle removed a project: Performance-Team.
Krinkle subscribed.

Seems reasonable in principle and I don't think it would be a burden or increase maintenance complexity. Patch welcome, but probably also need to find a reviewer willing to test/review it.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL