Subject Re: [firebird-support] Firebird 3.0 client does not work with remote Firebird 2.5 database
Author Mark Rotteveel
On 2019-01-20 22:35, Helen Borrie helebor@...
[firebird-support] wrote:
> Michael Fox wrote:
>> The config settings are the default ones. For the two settings you
>> mentioned:
>> AuthClient = Srp, Win_Sspi, Legacy_Auth
>> WireCrypt = Enabled (for client) / Required (for server)
> Here's the thing. The defaults shown here for these two parameters
> represent the default configs for a Fb3 client and a Fb3 server. Since
> they are Fb 3 settings, the 2.5 server doesn't know about them.
> Specifically, they are telling the Fb3 client to encrypt the wire
> transmissions but of course Fb 2.5 doesn't support wire encryption.
> Likewise, Fb 2.5 doesn't support SRP authentication; nor does the
> Linux cclient support Win_Sspi at all.

The default setting of WireCrypt is Enabled for the client, means that
the Firebird client will attempt to request encryption if supported, but
still continue connecting when it is set to Disabled on the server.

But more important, when connecting to Firebird 2.5, this setting is
only applied for wire protocol 13 or higher (that is: when connecting to
Firebird 3 or higher, it is ignored when connecting with protocol 10-12
or Firebird 2.5 and lower). That is: even with setting WireCrypt =
Required, the client is able to connect to Firebird 2.5, even though
Firebird 2.5 doesn't support encryption at all.

I have just checked on Windows, and 3.0.1 fbclient works when connecting
to Firebird 2.5 using the default config. I have also tried with setting
WireCrypt to Required, but it was still able to connect just as I expected.

Only when I set the AuthClient plugin list to just Srp (instead of the
default Srp, Win_Sspi, Legacy_Auth), I was unable to connect, but it
yielded the error "Your user name and password are not defined. Ask your
database administrator to set up a Firebird login." as - AFAIK - with
this config, the client tries to authenticate password-less.

> Firebird 3 allows configuration at both client and server for some
> parameters, including these two. Changes to these parameters must be
> done at the client side for your situation. If you plan to use the
> same Firebird setup on the Linus server as a client for databases on
> both 2.5 and 3.0 servers, you'll need to configure records there in
> databases.conf, specific to each. (You could set them globally in
> firebird.conf but that would, of course, restrict the options for
> accessing diverse remote databases.)

This shouldn't be necessary with a default firebird.conf. A Firebird 3
client is able to connect to Firebird 2.5 with the default AuthClient
and WireCrypt setting (at least on Windows).

Either this is a 3.0.1 specific problem (although I can't reproduce on
Windows), or maybe the version in Debian was modified for tighter security.

I know I avoided 3.0.1 because it contained several annoying bugs that
interfered with testing Jaybird (which I test against 3.0 and 2.5, pure
java and with the 3.0 and 2.5 client).