Datenbank/Kryptografie: Unterschied zwischen den Versionen
K Dirkwagner verschob die Seite Datenbank:Verschlüsselung nach Datenbank:Kryptografie: Textersetzung - „Verschlüsselung“ durch „Kryptografie“ |
K Textersetzung - „Verschlüsselung“ durch „Kryptografie“ |
||
| Zeile 78: | Zeile 78: | ||
# https://bettercrypto.org/ | # https://bettercrypto.org/ | ||
[[Kategorie: | [[Kategorie:Kryptografie:Best Practice]] | ||
[[Kategorie:Datenbank]] | [[Kategorie:Datenbank]] | ||
Version vom 16. Januar 2023, 13:22 Uhr
Databases
MySQL
Tested with Versions
- MySQL 5.5 on Debian Wheezy
- MySQL 5.7.20 on Ubuntu 16.04.3
Settings
References
MySQL Documentation on Configuring MySQL to Use Encrypted Connections.
How to test
After restarting the server run the following query to see if the ssl settings are correct: show variables like '%ssl%';
DB2
Tested with Version
We do not test this here, since we only reference other papers for DB2 so far.
Settings
ssl_cipherspecs:
In the link above the whole SSL-configuration is described in-depth. The following command shows only how to set the recommended ciphersuites.
- Recommended and supported ciphersuites
db2 update dbm cfg using SSL_CIPHERSPECS TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
References
IBM DB2 Documentation on Supported cipher suites.https://www.ibm.com/support/knowledgecenter/SSEPGG_9.7.0/com.ibm.db2.luw.admin.sec.doc/doc/c0053544.html
PostgreSQL
Tested with Versions
- Debian Wheezy and PostgreSQL 9.1
- Linux Mint 14 nadia / Ubuntu 12.10 quantal with PostgreSQL 9.1+136 and OpenSSL 1.0.1c
Settings
To start in SSL mode the server.crt and server.key must exist in the servers data directory $PGDATA.
| Starting with version 9.2, you have the possibility to set the path manually. |
References
It’s recommended to read Security and Authentication in the manual. PostgreSQL Documentation on Secure TCP/IP Connections with SSL. PostgreSQL Documentation on Client Authentication.
How to test
To test your ssl settings, run psql with the sslmode parameter: $ psql "sslmode=require host=postgres-server dbname=database" your-username