To use TLS, OpenSSL libcrypto library must be installed on both client and server systems and the location defined in the solid.ini file:
[Com] OpenSslLibPath=<path to OpenSSL library>
If this value is not set solidDB® will search system paths to find necessary OpenSSL components. If OpenSSL is available solidDB® server will listen SSL connections on the TCP port or ports defined in solid.ini file Com-section using a protocol name ‘tls’:
[Com] Listen = tls 1315, tls 2315
Using SSL to encrypt the network connection between a client and a server (using an untrusted server certificate)
If solidDB® server is started without existing server certificate and private key, a one-time self-signed certificate and corresponding private key is generated by the server for each incoming SSL client connection. The generated key is a 2048 bit RSA key and the generated certificate acts as a container for the public key.
This mode does not protect against a man-in-the-middle attack and should not be used for sensitive, public communications as the client may establish a connection with an untrustworthy solidDB® server.
Using a trusted server certificate
The server is required to supply a trusted certificate if the location of certificates of the certificate authorities (CA) the client trusts is set using the client-side solid.ini setting:
[Com] ClientCAStorePath=<path to certificate>
In this setup files containing the server certificate and private key must exist. By default, these files are expected to be named server.crt and server.key, respectively, in the server’s working directory. Other filenames and locations can be specified using the configuration parameters:
[Com] ServerCertificate=<path to certificate file> ServerPrivateKey=<path to private key file>
This setting protects against man-in-the-middle attack as the clients can avoid establishing a connection with an untrustworthy solidDB® server. The client certificate validation routine allows the possibility to refuse the connection if no valid server certificate is returned.
You can use openssl commands to create a server certificate and a private key. First generate a 2048-bit long RSA key and store it in file named server.key:
openssl genrsa -out server.key 2048
To create a self-signed certificate server.crt; you’ll need to provide additional information to identity your server:
The -x509 option is used for a self-signed certificate. 3600 days gives us a cert valid for 10 years. -nodes does not encrypt the output key. You can verify the details of your certificate using openssl:
openssl x509 -text -in server.crt
To use and validate this certificate you must copy the server.crt and server.key files to the locations specified in server-side solid.ini parameters Com.ServerCertificate and Com.ServerPrivateKey and use on the server.crt as the trusted CA at the location specified in the client-side solid.ini parameter [Com].ClientCAStorePath.