Use TLS with FairCom's ISAM, CTDB, and SQL client drivers
FairCom client driver settings to connect securely to FairCom's ISAM, CTDB, and SQL APIs
FairCom’s ISAM, SQL ODBC, and SQL JDBC client libraries require putting a server certificate file in the client process' working directory. This file must be a PEM file containing the CA certificate (or self-signed server certificate). By default, the file must be named ctsrvr.pem
.
Client software can use the following code to register a certificate other than ctsrvr.pem
that FairCom's driver will use to validate the server's self-signed or CA certificate:
ctSetCommProtocolOption(ctCOMMOPT_FSSLTCP_SERVER_CERTIFICATE, "my server cert.pem");
If you want to establish TLS communications with a FairCom server but do not want to verify the server’s identity, use the following code to register an empty server certificate file name with FairCom’s client software. This approach is vulnerable to a man-in-the-middle attack.
ctSetCommProtocolOption(ctCOMMOPT_FSSLTCP_SERVER_CERTIFICATE, "");
If an error occurs when connecting using TLS, the connection attempt returns error 1104 (SSLCONN_ERR)
.
For troubleshooting, client software can use the following code to enable TLS logging to the specified file name:
ctSetCommProtocolOption(ctCOMMOPT_FSSLTCP_DEBUG_LOG, "ssldebug.log");
Alternatively, you can also set the environment variable CTSSL_DEBUG_LOG
to the name of the SSL debug log file.
You can use TLS security keywords to modify TLS behavior on a FairCom server.
Navigate to and open the
ctsrvr.cfg
file in the<faircom>/config/
folder.Edit or add the
SUBSYSTEM COMM_PROTOCOL SSL
setting.Note
The
SUBSYSTEM COMM_PROTOCOL SSL
setting normally exists inctsrvr.cfg
but is commented out with a semicolon at the beginning of the section. Uncomment it by removing the semicolon.If this setting does not exist, add it using the Default minimally secure configuration for
COMM_PROTOCOL SSL
example.Modify Default minimally secure configuration for
COMM_PROTOCOL SSL
example to match your desired TLS configuration options.Note
The default setting is insecure because it is designed for maximum connectivity and compatibility while evaluating the server.
Verify that the files you specified above actually exist at the specified locations on this server computer.
Create and use a secure configuration for all your environments.
If your FairCom server is already running, please restart it so the changes you have made to the
ctsrvr.cfg
file take effect. This file is processed only at server startup time.
Examples
Default minimally secure configuration for COMM_PROTOCOL SSL
example
SUBSYSTEM COMM_PROTOCOL SSL { SERVER_CERTIFICATE_FILE serverCert.pem SSL_CONNECTIONS_ONLY NO SSL_CIPHERS ALL:!aNULL:!eNULL:!SSLv2:!LOW:!EXP:!RC4:!MD5:@STRENGTH }
Maximally secure configuration for COMM_PROTOCOL SSL
example
SUBSYSTEM COMM_PROTOCOL SSL { SERVER_CERTIFICATE_FILE my_server_certificate.pem SERVER_PRIVATE_KEY_FILE my_server_key.key SSL_CONNECTIONS_ONLY YES SSL_CIPHERS AES256-SHA256:AES256-GCM-SHA384:DHE-RSA-AES256-SHA256 }