Determining the TLS mode of a Vertica database

When you configure Vertica for TLS through the Management Console, you must configure the security mode to match what the Vertica database is configured to require: server mode or mutual mode.

When you configure Vertica for TLS through the Management Console, you must configure the security mode to match what the Vertica database is configured to require: server mode or mutual mode.

To determine the TLS mode for existing sessions, query the SESSIONS system table:

=> SELECT session_id, user_name, ssl_state FROM sessions;
           session_id            | user_name | ssl_state
---------------------------------+-----------+-----------
 v_vmart_node0001-333611:0x1ab   | dbadmin   | mutual

To determine the Vertica database's client-server TLS configuration, query the TLS_CONFIGURATIONS system table for the "server":

=> SELECT name, certificate, ca_certificates, mode FROM tls_configurations WHERE name = 'server';
  name  |   certificate    |   ca_certificates   |   mode
--------+------------------+---------------------+-----------
 server | server_cert      | ca_cert,ica_cert    | VERIFY_CA
(1 row)

The "mode" can be one of the following, in ascending security:

  • DISABLE: Disables TLS. All other options for this parameter enable TLS.

  • ENABLE: Enables TLS. Vertica does not check client certificates.

  • TRY_VERIFY: Establishes a TLS connection if one of the following is true:

    • the client presents a valid certificate

    • the client doesn't present a certificate

    If the client presents an invalid certificate, the connection will use plaintext.

  • VERIFY_CA: Connection succeeds if Vertica verifies that the client certificate is from a trusted CA. Using this TLSMODE forces connections without a client certificate to use plaintext.

  • VERIFY_FULL: Connection succeeds if Vertica verifies that the certificate is from a trusted CA and the certificate's cn (Common Name) or subjectAltName attribute matches the hostname or IP address of the client.

    Note that for client certificates, cn is used for the username, so subjectAltName must match the hostname or IP address of the client.

Mutual mode corresponds to TRY_VERIFY or higher, which indicates that Vertica is in mutual mode. In mutual mode, Vertica sends its server certificate to the client for verification, and uses the CA certificates (in this case, "ca_cert" and "ica_cert") to verify client certificates.

In contrast, a server mode configuration (which doesn't verify client certificates) might have the following TLS configuration instead:

=> SELECT name, certificate, ca_certificates, mode FROM tls_configurations WHERE name = 'server';
  name  |   certificate    |   ca_certificates   |   mode
--------+------------------+---------------------+-----------
 server | server_cert      |                     | ENABLE
(1 row)