HIGH missing tlsactixcockroachdb

Missing Tls in Actix with Cockroachdb

Scan for missing tls in actix

Missing Tls in Actix with Cockroachdb — how this specific combination creates or exposes the vulnerability

When an Actix web service connects to a CockroachDB cluster without TLS, credentials and query data traverse the network in plaintext. In a typical setup, the Actix application uses a database connection string or a configuration that omits sslmode=require (or equivalent). Because middleBrick scans the API surface without authentication, it can detect unencrypted database endpoints and flag the absence of transport-layer encryption as a data exposure finding. An attacker who can observe or intercept traffic between the Actix service and CockroachDB can read connection parameters, session information, and potentially modify queries in transit.

The risk is compounded in distributed environments where Actix instances and CockroachDB nodes communicate across internal networks that are assumed to be trusted. Without TLS, there is no server identity verification, making the system vulnerable to man-in-the-middle attacks even within private networks. middleBrick’s encryption checks highlight this by identifying connections that do not enforce encrypted communication, providing remediation guidance to enable TLS and validate certificates. This combination is particularly sensitive because database transactions often contain personally identifiable information or business-critical data, and missing encryption directly conflicts with compliance frameworks such as PCI-DSS and GDPR.

Cockroachdb-Specific Remediation in Actix — concrete code fixes

To secure the Actix and CockroachDB integration, enable TLS for the database client and verify server certificates. Use the postgres feature flags supported by the Rust driver to enforce encrypted connections and present client certificates when required. The following example shows a secure Actix configuration using the sqlx crate with a CockroachDB connection string that enforces TLS mode verify-full, providing both server authentication and optional client authentication.

use sqlx::postgres::PgConnectOptions;
use sqlx::ConnectOptions;
use std::time::Duration;

let mut opts = PgConnectOptions::new()
    .host(&std::env::var("DB_HOST").unwrap_or_else(|_| "localhost".into()))
    .port(26257)
    .database(&std::env::var("DB_NAME").unwrap_or_else(|_| "defaultdb".into()))
    .username(&std::env::var("DB_USER").unwrap_or_else(|_| "root".into()))
    .password(&std::env::var("DB_PASSWORD").unwrap_or_else(|_| "".into()));

// Enforce TLS with server certificate verification
opts = opts.tls_mode(sqlx::postgres::tls::Mode::VerifyFull);

// Optional: provide a custom TLS connector with root certificates
/*
use native_tls::TlsConnector;
use sqlx::postgres::tls::native_tls::NativeTlsConnector;
let tls = NativeTlsConnector::new(TlsConnector::new().unwrap());
opts = opts.tls_connector(Box::new(tls));
*/

let pool = sqlx::PgPoolOptions::new()
    .max_connections(5)
    .connect_with(opts)
    .await
    .expect("Failed to connect to CockroachDB with TLS");

If your CockroachDB cluster uses client certificate authentication, configure the TLS connector to include the client certificate and key. The following snippet demonstrates how to add client certificates with native-tls, ensuring that the Actix service can mutually authenticate with the database.

use sqlx::postgres::tls::native_tls::NativeTlsConnector;
use native_tls::{TlsConnector, Identity};
use std::fs;

let certs = fs::read("/path/to/client.crt").expect("unable to read client cert");
let key = fs::read("/path/to/client.key").expect("unable to read client key");
let identity = Identity::from_pkcs8(&certs, &key).expect("invalid identity");
let tls_connector = TlsConnector::builder().identity(identity).build().expect("TLS builder failed");
let tls = NativeTlsConnector::new(tls_connector);

let pool = sqlx::PgPoolOptions::new()
    .max_connections(5)
    .connect_with(
        PgConnectOptions::new()
            .host("your-cockroachdb.example.com")
            .port(26257)
            .database("defaultdb")
            .username("root")
            .password("securepassword")
            .tls_connector(Box::new(tls)),
    )
    .await
    .expect("Failed to connect with client certificates");

For non-Acme or locally managed certificates, you can use rustls to provide a custom root certificate store, which is useful in air-gapped environments. This approach ensures that the Actix application validates the CockroachDB server certificate against a pinned CA, preventing accidental cleartext communication and aligning the deployment with security best practices.

Related CWEs: encryption

CWE IDNameSeverity
CWE-319Cleartext Transmission of Sensitive Information HIGH
CWE-295Improper Certificate Validation HIGH
CWE-326Inadequate Encryption Strength HIGH
CWE-327Use of a Broken or Risky Cryptographic Algorithm HIGH
CWE-328Use of Weak Hash HIGH
CWE-330Use of Insufficiently Random Values HIGH
CWE-338Use of Cryptographically Weak PRNG MEDIUM
CWE-693Protection Mechanism Failure MEDIUM
CWE-757Selection of Less-Secure Algorithm During Negotiation HIGH
CWE-261Weak Encoding for Password HIGH
Scan for missing tls in actix Free API security scan

Frequently Asked Questions

Can middleBrick fix missing TLS in Actix and CockroachDB?
middleBrick detects and reports missing TLS as a finding with remediation guidance. It does not automatically fix or patch the issue; you must update your Actix database configuration to enforce TLS.
Does enabling TLS impact performance or require changes to SQL queries in Actix?
Enabling TLS adds minimal overhead and does not require changes to SQL queries. In Actix, you only need to adjust the connection options and ensure certificates are available; the sqlx queries remain unchanged.

Related Pages

Missing Tls in ActixLearn how missing TLS creates critical vulnerabilities in Actix applications and how to detect and fix them with middleBMissing Tls in CockroachdbMissing TLS in CockroachDB exposes credentials and data in transit. Learn how to detect and fix TLS misconfigurations spMissing Tls in Actix on DigitaloceanMissing Tls in Actix on Digitalocean: why it happens, how to detect it, and concrete Rustls/native-tls code examples to Missing Tls in Actix on AwsUnderstand how missing TLS in Actix on AWS creates exposure and apply AWS-specific fixes with concrete Actix code examplHipaa: Missing Tls in ActixHIPAA, Missing TLS, and Actix: how missing transport encryption exposes ePHI and concrete Rustls and redirect fixes to sGdpr: Missing Tls in ActixUnderstand GDPR risks when TLS is missing in Actix APIs, and apply Actix-specific HTTPS configurations with code exampleIso 27001: Missing Tls in ActixExplore ISO 27001 controls for Missing TLS in Actix APIs, with concrete remediation code examples and how middleBrick reMissing Tls in Actix with Bearer TokensLearn how missing TLS in Actix exposes Bearer Tokens, and apply concrete HTTPS middleware and bearer validation code exaMissing Tls in Actix with Hmac SignaturesExplore missing TLS risks in Actix with HMAC signatures, review secure remediation code examples, and learn detection viCis: Missing Tls in ActixCIS controls and missing TLS in Actix services: risks, detection, and concrete Rust code fixes using Rustls and HTTP-to-Missing Tls in Actix with Basic AuthDetect and fix Missing Tls in Actix with Basic Auth, enforce HTTPS, secure Basic Auth handling, real code examples.Missing Tls in Actix with Api KeysExplore Missing Tls in Actix with Api Keys — understand the risk and apply concrete Actix code fixes to enforce HTTPS an