How to use '"Over the wire" Connection Encryption' in practice?

[Alexander Skara]

Hi!

I am reading about https://firebirdsql.org/file/documentation/release_notes/html/en/3_0/rnfb30-security-wirecrypt.html and https://firebird-devel.narkive.com/fBiIR6eQ/insecure-hashing-and-encryption-in-firebird-3

and I don't understand what I practically need to do this to enable this?

Should I enable this somehow in firebird.config? Or maybe I specify this option in the connection parameter somehow? Maybe I can do this from isql commandline?

I am using Delphi IBX TIBDatabase and Zeos TConnection and I am not sure whether those components have properties that induce to use those advanced connection properties if there are any?

Has anyone used these features?

Alex

[Mark Rotteveel]

It is enabled with the default configuration, assuming `WireCrypt` has
not been explicitly configured in firebird.conf, or if it is set to
`Enabled` or `Required`. With the default configuration, it isn't even
possible to connect *without* using encryption.

You must be authenticated with a Srp or Win_Sspi user, and the
connection must request authentication (which, if you're using a
Firebird 3.0 or higher fbclient.dll / libfbclient.so will be the default).

In other words, assuming a default configuration, you are likely already
using an encrypted connection.

You can verify if you're using an encrypted connection using the full
version string reported by the connection, if at the end it has `:C` or
`:CZ`, it will be encrypted (if `:CZ`, encrypted *and* compressed).

In Firebird 3.0.4 or higher, you can also query it using:

select RDB$GET_CONTEXT('SYSTEM', 'WIRE_ENCRYPTED')
from rdb$database

In Firebird 4.0 or higher, you can also query it using:

select mon$wire_encrypted, mon$wire_crypt_plugin
from mon$attachments
where mon$attachment_id = CURRENT_CONNECTION

Mark
--
Mark Rotteveel