No configuration option to require SSL on database connections

Development on this is mostly finished. The configuration option will only affect connections made by the package-search service. The Python services (i.e., all the other ones) will continue to use the default sslmode=prefer.

I am curious why apply the change to only the one service?

Our dependencies for the Python services don't support passing an sslmode option when connecting to Postgres unfortunately.

Does this mean the fix is installable?

Hi Mike, "Fix Committed" means that I have included the fix in our main branch. I am working on including this fix in the 23.03 PPA, at which point I will mark the bug as "Fix Released".

Thank you!

This fix has been released for focal and jammy for version 23.03 in landscape-server 23.03+18.2-0landscape0. Version 23.10 will not get this fix as it is out-of-support.

What repo will this update be available on?

Currently the fix is out in the self-hosted-23.03 ppa: https://launchpad.net/~landscape/+archive/ubuntu/self-hosted-23.03

The self-hosted-24.04 ppa will get this fix on our next release (likely next week).

So this is not upgradable with apt upgrade, it requires apt install landscape-server?

Also, I am not able to get the fix from the self-hosted-23.03 ppa: https://launchpad.net/~landscape/+archive/ubuntu/self-hosted-23.03

/var/www/landscape/self-hosted-23.03/ubuntu/pool/main/l/landscape-server# ll
total 23520
drwxr-xr-x 2 apt-mirror apt-mirror 4096 Feb 5 12:30 ./
drwxr-xr-x 5 apt-mirror apt-mirror 79 Nov 21 2023 ../
-rwxr-xr-x 1 apt-mirror apt-mirror 12272 Sep 22 2023 landscape-hosted_23.03+17-0landscape0_amd64.deb*
-rwxr-xr-x 1 apt-mirror apt-mirror 12340 Jan 17 19:01 landscape-hosted_23.03+18-0landscape0_amd64.deb*
-rwxr-xr-x 1 apt-mirror apt-mirror 14536 Sep 22 2023 landscape-server-quickstart_23.03+17-0landscape0_amd64.deb*
-rwxr-xr-x 1 apt-mirror apt-mirror 14592 Jan 17 19:01 landscape-server-quickstart_23.03+18-0landscape0_amd64.deb*
-rwxr-xr-x 1 apt-mirror apt-mirror 12008400 Sep 22 2023 landscape-server_23.03+17-0landscape0_amd64.deb*
-rwxr-xr-x 1 apt-mirror apt-mirror 12008572 Jan 17 19:01 landscape-server_23.03+18-0landscape0_amd64.deb*

after running apt-mirror

Contents of /etc/apt/mirror.list

############# config ##################
#
#set base_path /var/www/apt-mirror
set base_path /media/landscape/apt-mirror
#
# set mirror_path $base_path/mirror
# set skel_path $base_path/skel
# set var_path $base_path/var
# set cleanscript $var_path/clean.sh
# set defaultarch <running host architecture>
# set postmirror_script $var_path/postmirror.sh
# set run_postmirror 0
set nthreads 20
set _tilde 0
set auth_no_challenge 1
#
############# end config ##############

# Landscape

#deb http://ppa.launchpad.net/landscape/17.03/ubuntu xenial main
#deb http://ppa.launchpad.net/landscape/18.03/ubuntu xenial main
#deb http://ppa.launchpad.net/landscape/18.03/ubuntu bionic main
#deb http://ppa.launchpad.net/landscape/19.01/ubuntu bionic main
#deb http://ppa.launchpad.net/landscape/19.10/ubuntu bionic main
deb http://ppa.launchpad.net/landscape/self-hosted-23.03/ubuntu jammy main
#deb http://ppa.launchpad.net/landscape/self-hosted-24.04/ubuntu jammy main

clean http://archive.ubuntu.com/ubuntu

Hi Mike, this seems like it might be more of an issue with your mirrors. You may have better luck opening a support ticket since they'll be most knowledgeable about the particulars of your setup. Once you have the newest version available in your sources, you can `apt upgrade landscape-server` to get the newest version.

You'll also want to include an additional line in the [package-search] section of your service.conf to enable the fix:

```
[package-search]
...
sslmode = require
```

Or whichever sslmode you'd like. You can get a full list with explanations here: https://www.postgresql.org/docs/current/libpq-ssl.html#LIBPQ-SSL-SSLMODE-STATEMENTS