Database security suite. Database proxy with field-level encryption, search through encrypted data, SQL injections prevention, intrusion detection, honeypots. Supports client-side and proxy-side ("transparent") encryption. SQL, NoSQL.

Hey folks, feature request/question here.

We are currently using patroni as an HA solution for PostgreSQL and want to use Acra as an encryption/decryption DB proxy for on-the-fly transparent data encryption.

In Patroni, a. HAproxy connects with multiple postgres nodes, based on a leader-replica architecture using raft.

Is it possible to integrate AcraServer over the same patroni's HAProxy, so that we can introduce AcraServer without sacrificing our DB's latency instead of a separate AcraServer instance?

issues:

In the documentation, this is mentioned :

Transparent encryption proxy mode allows you to configure AcraServer to encrypt records in specific database columns without altering the application code.

However, There is not possibility for my not editable application to work with this proxy as :

Encrypted data is binary data. As AcraServer doesn't know the nature of data, it returns the decrypted binary data to the web app. You’ll need to change the source code of your web app for the app to expect the decrypted data as binary, then to encode it into the original format (strings, numbers, bytes, etc.).

Expected behaviour :

As a transparent proxy user , I expect to have to define the database field type either in the acra server/connector configuration and in the database (change encrypted field into binary field) but not in the application code.

Regards,

Hello, I have been testing Acra Server 0.92.0 with an application. Version 0.92.0 seems to be working fine. I then realized I needed some features present in the 0.93.0 release but after updating I can't no longer run my application with acra.

To Reproduce

• Set up acra server 0.92.0 with my application
• Updated Acra server from 0.92.0 to 0.93.0
• Application no longer works with acra server

Expected behavior Application should work as before

Acra configuration files

--client_id="test"
--db_host=postgres
--keys_dir=/keys
--tls_auth=0
--tls_client_id_from_cert=false
--postgresql_enable=true
-d

Environment (please complete the following information):

• Acra version: 0.93.0
• Database server and its version: PostgreSQL 9.6.10
• Installed components:
  • [x] AcraServer
• Data-in-transit encryption between Acra and the client-side application:
  • [x] no transport encryption
• Installation way:
  • [x] via Docker

Additional context Acra server debug logs when the application crashes

time="2022-09-01T14:04:32Z" level=debug msg="New query" client_id=test prepared_name=S_4 proxy=client session_id=1 sql=begin
time="2022-09-01T14:04:32Z" level=debug msg="Registered new prepared statement" client_id=test prepared_name=S_4 proxy=client session_id=1
time="2022-09-01T14:04:32Z" level=debug msg="Read data" client_id=test proxy=client session_id=1
time="2022-09-01T14:04:32Z" level=debug msg=GetBindData client_id=test proxy=client session_id=1
time="2022-09-01T14:04:32Z" level=debug msg="Bind packet" client_id=test portal="" proxy=client session_id=1 statement=S_4
time="2022-09-01T14:04:32Z" level=debug msg="Read data" client_id=test proxy=client session_id=1
time="2022-09-01T14:04:32Z" level=debug msg=GetExecuteData client_id=test proxy=client session_id=1
time="2022-09-01T14:04:32Z" level=debug msg="Read data" client_id=test proxy=client session_id=1
time="2022-09-01T14:04:32Z" level=debug msg=GetParseData client_id=test proxy=client session_id=1
time="2022-09-01T14:04:32Z" level=debug msg="New query" client_id=test prepared_name=S_5 proxy=client session_id=1 sql="insert into blue_FDZ_CONFIGURATION(\"key\", value) values ($1, $2)"
time="2022-09-01T14:04:32Z" level=debug msg="Hasn't schema for table blue_FDZ_CONFIGURATION"
time="2022-09-01T14:04:32Z" level=debug msg="Registered new prepared statement" client_id=test prepared_name=S_5 proxy=client session_id=1
time="2022-09-01T14:04:32Z" level=debug msg="Read data" client_id=test proxy=client session_id=1
time="2022-09-01T14:04:32Z" level=debug msg="Read data" client_id=test proxy=client session_id=1
time="2022-09-01T14:04:32Z" level=debug msg="Read data length" client_id=test proxy=server session_id=1
time="2022-09-01T14:04:32Z" level=debug msg="Read data" client_id=test proxy=server session_id=1
time="2022-09-01T14:04:32Z" level=debug msg=ParseComplete parse="&{[83 95 53 0] [73 78 83 69 82 84 32 73 78 84 79 32 34 98 108 117 101 95 70 68 90 95 67 79 78 70 73 71 85 82 65 84 73 79 78 34 32 40 34 107 101 121 34 44 32 34 118 97 108 117 101 34 41 32 86 65 76 85 69 83 32 40 36 49 44 32 36 50 41 0] [0 2] [[0 0 4 19] [0 0 4 19]]}"
time="2022-09-01T14:04:32Z" level=debug msg="Read packet" client_id=test proxy=server session_id=1
time="2022-09-01T14:04:32Z" level=debug msg="Read data length" client_id=test proxy=server session_id=1
time="2022-09-01T14:04:32Z" level=debug msg="Read data" client_id=test proxy=server session_id=1
time="2022-09-01T14:04:32Z" level=error msg="Panic in connection processing, close connection" client_id=test error="runtime error: invalid memory address or nil pointer dereference" function=ProxyDatabaseConnection session_id=1
time="2022-09-01T14:04:32Z" level=debug msg="Close acra-connector connection" client_id=test session_id=1
time="2022-09-01T14:04:32Z" level=debug msg="Can't read first 5 bytes" client_id=test code=588 error="read tcp 172.30.0.8:9393->172.30.0.9:56294: use of closed network connection" proxy=client session_id=1
time="2022-09-01T14:04:32Z" level=debug msg="Can't read packet from client to database" client_id=test error="read tcp 172.30.0.8:9393->172.30.0.9:56294: use of closed network connection" proxy=client session_id=1
time="2022-09-01T14:04:32Z" level=debug msg="Stop to proxy" client_id=test interrupt_side=Client-AcraServer session_id=1
time="2022-09-01T14:04:32Z" level=error msg="Network error" client_id=test code=1100 error="read tcp 172.30.0.8:9393->172.30.0.9:56294: use of closed network connection" interrupt_side=Client-AcraServer session_id=1
time="2022-09-01T14:04:32Z" level=info msg="Closing client's connection" client_id=test interrupt_side=Client-AcraServer session_id=1
time="2022-09-01T14:04:32Z" level=debug msg="Close acra-connector connection" client_id=test session_id=1
time="2022-09-01T14:04:32Z" level=debug msg="Close db connection" client_id=test session_id=1
time="2022-09-01T14:04:32Z" level=debug msg="Close db connection" client_id=test session_id=1
time="2022-09-01T14:04:32Z" level=debug msg="All connections closed" client_id=test session_id=1
time="2022-09-01T14:04:32Z" level=debug msg="All connections closed" client_id=test session_id=1
time="2022-09-01T14:04:33Z" level=debug msg="Can't read first 5 bytes" client_id=test code=588 error=EOF proxy=client session_id=2
time="2022-09-01T14:04:33Z" level=debug msg="Can't read packet from client to database" client_id=test error=EOF proxy=client session_id=2
time="2022-09-01T14:04:33Z" level=debug msg="Stop to proxy" client_id=test interrupt_side=Client-AcraServer session_id=2
time="2022-09-01T14:04:33Z" level=debug msg="EOF connection closed" client_id=test interrupt_side=Client-AcraServer session_id=2
time="2022-09-01T14:04:33Z" level=info msg="Closing client's connection" client_id=test interrupt_side=Client-AcraServer session_id=2
time="2022-09-01T14:04:33Z" level=debug msg="Close acra-connector connection" client_id=test session_id=2
time="2022-09-01T14:04:33Z" level=debug msg="Close db connection" client_id=test session_id=2
time="2022-09-01T14:04:33Z" level=debug msg="Can't read packet" client_id=test code=588 error="read tcp 172.30.0.8:35104->172.30.0.4:5432: use of closed network connection" proxy=server session_id=2
time="2022-09-01T14:04:33Z" level=debug msg="All connections closed" client_id=test session_id=2
time="2022-09-01T14:04:33Z" level=debug msg="Second proxy goroutine stopped" client_id=test error="AcraServer-Database:read tcp 172.30.0.8:35104->172.30.0.4:5432: use of closed network connection" interrupt_side=Client-AcraServer session_id=2
time="2022-09-01T14:04:33Z" level=info msg="Finished processing client's connection" client_id=test interrupt_side=Client-AcraServer session_id=2

Also tried to run different commits of release 0.93.0 and this starts to happen after commit 29eb6ffb20ecbefd2f7f1684ec16666c1ab6169a

• Fix golint not being installed in prepare.sh and thus not reporting issues
• Add misspell linter to detect common misspells
• Add ineffassign linter to detect ineffectual assignments (assigned but not used or unintentionally assigned to wrong var because of how scopes and := work in Go)
• Make all these linters write output to console, so we'll see what the issues are by looking at CI log

I'm still unsure whether it's good idea to allow 10 ineffassign issues. There are currently 3, and those are intentional = nil assignments. Like, we won't see them until we reach 10, but then we won't be able to merge PR because CircleCI tells us there're too many issues

Hi,

I am looking for a tutorial that's gonna make me test your searchable encryption part of software but the one in the examples is empty and "coming soon".

I have read the provided guide anyway and I cannot find the "encryptor_config_file" in the acra engineering demo. How I do?

Cheers.

Extended current TLS authentication where acra may starts with specified from cli params client_id which used for all incoming connections. This PR extends it and allow to start acra without static client_id and use data from certificates to map them to keystore identifiers/keys. PR contains 2 implementations of extracting data from certificates: common name and serial numbers, which should be chosen at startup (cli params not added yet). And one implementation of converting these values to acceptable format of ids using hex encoder (to allow non ascii printable values like serial numbers) and hash function (to allow values which longer than 256 length). A little bit refactored unit-tests to re-use same common function which verify wrapper's logic, added helpers to generate tls certificates in golang to test all specific cases related to certificate fields (@iamnotacake you can re-use them if need^)

Done:

• validation incoming certificate (deny CA certificates or with incorrect keyUsage/extKeyUsage values)
• identifier fetching from certificates (distinguished name, serial numbers)
• encoding identifier values to acceptable formats of clientID by sha512 and hex encoding

Now AcraServer can use certificates from acra-connector connections when used tls_client_id_from_cert + acraconnector_tls_transport_enable, or from app's connection when used tls_client_id_from_cert + acraconnector_transport_encryption_disable. In both cases should be configured all necessary TLS params with ca/cert/key values. Plus user can configure which strategy of mapping certificate metadata to clientID to use. To configure should set tls_identifier_extractor_type with distinguished_name or serial_number value. In first case will be used "Subject" field ordered and formatted according to RFC2253, hashed with sha512 (as hash function which provide longest digest and least collision probability) and encoded to hex value. In second cases will be used serial number as 20-bytes integer value in big-endian order hashed with same function sha512 and encoded to hex value. First strategy good to use when certificates may be rotated and allow to avoid rotation keys and accordingly data too. Second strategy good for environments when Subject field not used in certificates.

This PR introduces several updates for our AcraTranslator service.

In general I refactored main component (ReaderServer) and added support of SIGHUP handling to the service. What is refactored:

• Added new StartFromFileDescriptor function that allows to run HTTP and gRPC servers having listener obtained from correspondent descriptor, instead of creating a new ones in order to preserve current listeners in new process;
• Splitted monster Start function on lower components startHTTP, startGRPC in order to improve readability;
• Wrapped Start and StartFromFileDescriptor with timeout exit (single point) and avoiding hidden os.Exit calls. This is extremely important for EE version that relies on CE ReaderServer component;
• Moved from 'multiply listeners - multiply connections' to 'single listener - multiply connection' with transparent management of stopping/closing it. This is also important for better controlling of code execution;
• Added some getters which is needed by EE version.

There are two questions about previous implementation that were not obvious for me (most likely they are addressed to @Lagovas), and probably we can discuss it while review process: 1) why previously we had 'multiply listeners - multiply connection' model (when we called HandleClientConnection, it was a AcceptConnection function inside that created internally new listener and returned accepted connection via channel, their closing was managed via child contexts cancelling in separate goroutine) if listener itself allows calling Accept function safely from multiply goroutines; and 2) why does switching to new process works, if file descriptors created while SIGHUP processing and on service starting are different? (I asked @Lagovas about it and we came to the point that we know order number of Acra descriptor - it's 3, but it seems that we need not the order number but correct actual value of fd to start)

How did I test this? Manually. I created a following methodology for testing it (locally run AcraTranslator, AcraConnector and 2 toy applications: one for sending HTTP and second - for gRPC requests):

1. Test HTTP component without/with active connections;
2. Test gRPC component without/with active connections;
3. Test HTTP + gRPC components that run simultaneously without/with active connections;

For sending HTTP requests I used the following piece of code (thanks to our documentation - but some examples are outdated there):

for run in {1..100}; 
do curl -X POST --data-binary @client.acrastruct --header "Content-Type: application/octet-stream" http://127.0.0.1:8000/v1/decrypt; 
done

For sending gRPC requests I used following go code:

conn, err := grpc.Dial("127.0.0.1:8001", grpc.WithInsecure())
	if err != nil {
		t.Fatal(err)
	}
	defer conn.Close()


	client := grpc1.NewReaderClient(conn)

	for start := time.Now(); time.Since(start) < time.Second * 10; {
		_, _ = client.Decrypt(context.Background(),
			&grpc1.DecryptRequest{
				ClientId:   []byte("testclientid"),
				ZoneId:     []byte("test_zone"),
				Acrastruct: []byte("blabla"),
			},
			grpc.EmptyCallOption{})
	}

While those applications were running, I sent (multiply times) SIGHUP signal to the AcraTranslator and observed that service restarted and there were no cut connections. Testing without connections are rather straightforward.

Hi,

I am having problems with latest release of Acra and I don't understand how to troubleshoot that problem. Print is working (empty) but I cannot submit the data into the database with python examples. I am using Ubuntu 20.04.4 LTS.

Error output: (I cannot bold/code style it so I will make "----" where code starts and where ends)

ubuntu@Gallardo:~/acra$ python3 examples/python/example_without_zone.py --public_key=docker/.acrakeys/acra-server/1ec6f16c36e6a3f1a064d708cba5b1ca760ba5ae29d3d80aab67b043ca641255c21ddf8f0fb09a8de336d555b4b961953200c7125f745cff7ed577f7c4b555c4_storage.pub --db_user=${POSTGRES_USER} --db_password=${POSTGRES_PASSWORD} --host=127.0.0.1 --port=5432 --data="data1" insert data: data1 Traceback (most recent call last): File "/home/ubuntu/.local/lib/python3.8/site-packages/sqlalchemy/engine/base.py", line 1719, in _execute_context context = constructor( File "/home/ubuntu/.local/lib/python3.8/site-packages/sqlalchemy/engine/default.py", line 1091, in _init_compiled param = { File "/home/ubuntu/.local/lib/python3.8/site-packages/sqlalchemy/engine/default.py", line 1092, in key: processorskey File "/home/ubuntu/.local/lib/python3.8/site-packages/sqlalchemy/sql/type_api.py", line 1631, in process return impl_processor(process_param(value, dialect)) File "/home/ubuntu/.local/lib/python3.8/site-packages/acrawriter/sqlalchemy/init.py", line 31, in process_bind_param return create_acrastruct(value, self._public_key) File "/home/ubuntu/.local/lib/python3.8/site-packages/acrawriter/init.py", line 40, in create_acrastruct random_kp = GenerateKeyPair(KEY_PAIR_TYPE.EC) File "/home/ubuntu/.local/lib/python3.8/site-packages/pythemis/skeygen.py", line 42, in init if themis.themis_gen_ec_key_pair( File "/usr/lib/python3.8/ctypes/init.py", line 386, in getattr func = self.getitem(name) File "/usr/lib/python3.8/ctypes/init.py", line 391, in getitem func = self._FuncPtr((name_or_ordinal, self)) AttributeError: python3: undefined symbol: themis_gen_ec_key_pair

The above exception was the direct cause of the following exception:

Traceback (most recent call last): File "examples/python/example_without_zone.py", line 73, in write_data(args.data, connection) File "examples/python/example_without_zone.py", line 33, in write_data connection.execute( File "/home/ubuntu/.local/lib/python3.8/site-packages/sqlalchemy/engine/base.py", line 1306, in execute return meth(self, multiparams, params, _EMPTY_EXECUTION_OPTS) File "/home/ubuntu/.local/lib/python3.8/site-packages/sqlalchemy/sql/elements.py", line 325, in _execute_on_connection return connection._execute_clauseelement( File "/home/ubuntu/.local/lib/python3.8/site-packages/sqlalchemy/engine/base.py", line 1498, in _execute_clauseelement ret = self._execute_context( File "/home/ubuntu/.local/lib/python3.8/site-packages/sqlalchemy/engine/base.py", line 1725, in _execute_context self.handle_dbapi_exception( File "/home/ubuntu/.local/lib/python3.8/site-packages/sqlalchemy/engine/base.py", line 2043, in handle_dbapi_exception util.raise( File "/home/ubuntu/.local/lib/python3.8/site-packages/sqlalchemy/util/compat.py", line 207, in raise raise exception File "/home/ubuntu/.local/lib/python3.8/site-packages/sqlalchemy/engine/base.py", line 1719, in _execute_context context = constructor( File "/home/ubuntu/.local/lib/python3.8/site-packages/sqlalchemy/engine/default.py", line 1091, in _init_compiled param = { File "/home/ubuntu/.local/lib/python3.8/site-packages/sqlalchemy/engine/default.py", line 1092, in key: processorskey File "/home/ubuntu/.local/lib/python3.8/site-packages/sqlalchemy/sql/type_api.py", line 1631, in process return impl_processor(process_param(value, dialect)) File "/home/ubuntu/.local/lib/python3.8/site-packages/acrawriter/sqlalchemy/init.py", line 31, in process_bind_param return create_acrastruct(value, self._public_key) File "/home/ubuntu/.local/lib/python3.8/site-packages/acrawriter/init.py", line 40, in create_acrastruct random_kp = GenerateKeyPair(KEY_PAIR_TYPE.EC) File "/home/ubuntu/.local/lib/python3.8/site-packages/pythemis/skeygen.py", line 42, in init if themis.themis_gen_ec_key_pair( File "/usr/lib/python3.8/ctypes/init.py", line 386, in getattr func = self.getitem(name) File "/usr/lib/python3.8/ctypes/init.py", line 391, in getitem func = self._FuncPtr((name_or_ordinal, self)) sqlalchemy.exc.StatementError: (builtins.AttributeError) python3: undefined symbol: themis_gen_ec_key_pair [SQL: INSERT INTO test_example_without_zone (data, raw_data) VALUES (%(data)s, %(raw_data)s) RETURNING test_example_without_zone.id] [parameters: [{'data': b'data1', 'raw_data': 'data1'}]]

File used with command source to set environment variables both in Docker compose starting window and the example one:

export ACRA_SERVER_MASTER_KEY=$(echo -n "6EaxBnRwcNZnNyExInkrY0hC6Ahxz5pS" | base64) export ACRA_CONNECTOR_MASTER_KEY=$(echo -n "oPZktQOFIHuyOc65fnoBnh8wWFdixJly" | base64) export ACRA_CLIENT_ID="Testbed" export POSTGRES_DB="test" export POSTGRES_USER="test" export POSTGRES_PASSWORD="test" export MYSQL_ONETIME_PASSWORD="test" export MYSQL_ROOT_PASSWORD="test" export MYSQL_DATABASE="test" export MYSQL_USER="test" export MYSQL_PASSWORD="test" export ACRA_HTTPAUTH_USER=test export ACRA_HTTPAUTH_PASSWORD=test

I hope someone can help me to carry out this problem, Cheers.

Hello, I'm trying to build Acra from sources but I'm failing at the first step of the guide which is to install acra-keymaker.

This is the error I get when I run go get github.com/cossacklabs/acra/cmd/acra-keymaker

ubuntu@ip-10-1-1-1:~/work/src/go.opencensus.io$ go get github.com/cossacklabs/acra/cmd/acra-keymaker
package go.opencensus.io/exporter/jaeger: cannot find package "go.opencensus.io/exporter/jaeger" in any of:
        /usr/lib/go-1.10/src/go.opencensus.io/exporter/jaeger (from $GOROOT)
        /home/ubuntu/work/src/go.opencensus.io/exporter/jaeger (from $GOPATH)

This got resolved when I downgraded go.opencensus.io/ from latest to v0.19.x because the package jaeger is moved to contrib.go.opencensus.io

Found that valid strings with \n characters for string types we encode as hex values and then it rendered incorrectly in web apps. In this PR update our check of printable characters that skipped for encoding. Also found that postgresql sends unicode values in another way then simple latin strings (with encoding into hex). But I didn't find how to fix it correctly, so I created T2531 for futher investigations. And this PR just short fix that should fix obvious and frequent cases.

Checklist

• [X] Change is covered by automated tests
• [X] The coding guidelines are followed
• ~~[ ] Public API has proper documentation in the Acra documentation site or has PR on documentation repository with new changes~~
• ~~[ ] CHANGELOG.md is updated (in case of notable or breaking changes)~~
• [X] CHANGELOG_DEV.md is updated
• ~~[ ] Benchmark results are attached (if applicable)~~
• ~~[ ] Example projects and code samples are up-to-date (in case of API changes)~~

Currently AcraServer uses only one TLS configuration for everything. This means, in particular, that both AcraConnector and DB are expected to use the same private CA, if root certificates are not available in the system certificate store. This is not always the case, and it would be nice to allow separate TLS configurations.

This PR adds several new options:

| New option | Old option | Purpose | | -- | -- | -- | | tls_client_ca | tls_ca | path to CAfile with trusted root certificates for AcraConnector verification | | tls_client_cert | tls_cert | path to server certificate presented to AcraConnectors | | tls_client_key | tls_key | path to private key to the certificate above | | tls_client_auth | tls_auth | TLS authentication level when accepting AcraConnector connections |

| New option | Old option | Purpose | | -- | -- | -- | | tls_database_ca | tls_ca | path to CAfile with trusted root certificates for database verification | | tls_database_cert | tls_cert | path to client certificate used when connecting to database | | tls_database_key | tls_key | path to private key to the certificate above | | tls_database_auth | tls_auth | TLS authentication level when connecting to database | | tls_database_sni | tls_db_sni | server name expected when connecting to database (renamed option) |

New options override old options. The old options still remains not deprecated, they might be useful as a shortcut.

This required a refactoring to split the TLS configuration, ~~so in the future it will be possible to have more specific configuration (think, different allowed authentication modes, cryptosuites, TLS versions, etc.)~~ which allowed to easily split the configuration.

There are no integration tests for this option currently. (Do we need them?) I have tested it manually, with recently updated certificates. The timing could not have been better...

The idea of that PR is to split test.py file into pieces as now it's difficult to work with that file. IDEA needs more time to index the file, plus its more difficult to find the class/mixing you need.

What have been made in this PR:

• move all encryptor config files from tests/* to tests/encryptor_configs folder.
• split test.py into several subfiles with tests:
  • base.py contains all general classes/constants/mixings etc
  • searchable_transparent_encryption.py contains base mixing for searchable/transparent encryption tests and their related tests;
  • tokenization.py - contains base mixing for tokenization/masking tests and their related tests;
  • type_aware.py - contains all tests related to TA
  • integrations.py - contains all tests with integrations (AWS, Vault, Consul, etc)

test.py has less than 5k of codes now and contains general tests unrelated to the previously described. The idea was to save test.py file as the main file, not to change the CI running scripts.

Currently, PR is in a draft state, as some test files can be added and structure can be changed.

Checklist

• [ ] Change is covered by automated tests
• [ ] The coding guidelines are followed
• [ ] Public API has proper documentation in the Acra documentation site or has PR on documentation repository with new changes
• [ ] CHANGELOG.md is updated (in case of notable or breaking changes)
• [ ] CHANGELOG_DEV.md is updated
• [ ] Benchmark results are attached (if applicable)
• [ ] Example projects and code samples are up-to-date (in case of API changes)

Describe the bug

A clear and concise description of what the bug is.

The configuration value tls_ocsp_from_cert: ignore is not working correctly with the database connection. To get the expected behaviour, I had to use an undocumented setting tls_ocsp_database_from_cert: ignore which I guessed from reading the code, not the docs.

My expectation would be for it to be documented here: https://docs.cossacklabs.com/acra/configuring-maintaining/tls/ocsp/

I'm aware of the implications of switching off all these TLS settings and using the same certificate & key for client & server - honestly, I am just trying to get it to work with Python and the asyncpg library, with Cockroach Labs serverless DB which seems to not have OCSP set up as Acra expects it to be (separate bug? I don't know yet.)

To Reproduce My YAML configuration (db_host is censored):

# acra.yml - both encryptor and server config in one file because they don't seem to step on each other.
version: 0.94.0

schemas:
  - table: tbl_auditlog
    columns:
      - dc_entry_id
      - dc_guild
      - stamp
    encrypted:
      - column: dc_user
        searchable: true
      - column: dc_target
        searchable: true
      - column: py_auditlogentry

  - table: t_bot_settings
    columns:
      - ky
    encrypted:
      - column: dc_user
        searchable: true
      - column: json_val

postgresql_enable: true
db_host: "example.cluster.cockroachlabs.cloud"
db_port: 26257

keystore_cache_size: -1
keystore_cache_on_start_enable: false
tls_key: "./keys/opensslKey.key"
tls_cert: "./keys/opensslCertificate.crt"
tls_auth: 0
tls_client_id_from_cert: false
tls_ocsp_required: allowUnknown
tls_ocsp_from_cert: ignore
#tls_ocsp_database_from_cert: ignore
tls_crl_from_cert: ignore
tls_crl_database_from_cert: ignore
#tls_ocsp_url: ""
#tls_ocsp_client_url: ""
#tls_ocsp_database_url: "http://r3.o.lencr.org/ocsp"

My acra-server command: acra-server --config_file=./acra.yml --client_id=dev_acra_client --encryptor_config_storage_type=filesystem --encryptor_config_file=./acra.yml -v -d

My test client (Python):

import asyncio
import asyncpg
import ssl
sslctx1 = ssl.create_default_context(
    ssl.Purpose.SERVER_AUTH,
    cafile="./keys/opensslCertificate.crt"
)
sslctx1.load_cert_chain(
    "./keys/opensslCertificate.crt",
    keyfile="./keys/opensslKey.crt"
)
sslctx1.check_hostname = False
sslctx1.verify_mode = ssl.CERT_NONE


async def maintest(q):
    c = await asyncpg.connect(
                host="0.0.0.0", port=9393, user='user',
                password='qvr Trqnaxra fvaq serv',
                database="dev",
                ssl=sslctx1
    )
    x = await c.fetch(q)
    print(x)
    return x

asyncio.run(maintest("select * from pg_catalog.pg_user;"))

Expected behavior

A clear and concise description of what you expected to happen.

Acra should ignore OCSP URLs on the certificates, on both connections. The problem behaviour only happens when commenting out the tls_ocsp_database_from_cert: ignore line in the acra.yml file and then restarting the Acra server. The expected behaviour happens when it is uncommented.

Acra configuration files

• For AcraServer:
  • [x] configuration file or CLI params that you use to start AcraServer;
  • [x] encryptor_config.yaml if used.

Environment (please complete the following information):

• Acra version: [0.94.0+bullseye on Debian installed with the instructions in the docs]
• Database server and its version: [Cockroach DB Serverless, whatever the current version is (Postgres based)]
• Installed components:
  • [x] AcraServer
  • [ ] AcraTranslator
• Data-in-transit encryption between Acra and the client-side application:
  • [x] TLS
  • [ ] AcraConnector
  • [ ] no transport encryption
• Installation way:
  • [ ] via Docker
  • [x] via package manager

Additional context

Add any other context about the problem here.

Failure debug logs will be attached.

Added consistent tokenization to default option of encryptor config

Checklist

• [ ] Change is covered by automated tests
• [ ] The coding guidelines are followed
• [ ] Public API has proper documentation in the Acra documentation site or has PR on documentation repository with new changes
• [ ] CHANGELOG.md is updated (in case of notable or breaking changes)
• [ ] CHANGELOG_DEV.md is updated
• [ ] Benchmark results are attached (if applicable)
• [ ] Example projects and code samples are up-to-date (in case of API changes)

Here is merged master into your branch plus fixes with calculating prefixes from utf8 strings instead of encoded arrays. You can review last 2 commits after merge branch or pull changes from master into your branch and refresh.

Checklist

• [ ] Change is covered by automated tests
• [ ] The coding guidelines are followed
• [ ] Public API has proper documentation in the Acra documentation site or has PR on documentation repository with new changes
• [ ] CHANGELOG.md is updated (in case of notable or breaking changes)
• [ ] CHANGELOG_DEV.md is updated
• [ ] Benchmark results are attached (if applicable)
• [ ] Example projects and code samples are up-to-date (in case of API changes)