GOST Security Compliance & Testing Guide
Status: TLS implemented, TDE planned Target Audience: Security Auditors, DevOps, QA
1. GOST Security Ecosystem in AngaraBase
AngaraBase implements a layered approach to Russian national cryptographic standards (GOST).
1.1. Transport Layer (TLS) — Available
Protection of data in transit using GOST R 34.10-2012 (Public Key) and GOST 28147-89 (Cipher suites).
- Implementation: Provider-based abstraction (OpenSSL Engine / Rustls).
- Policy: Fail-closed (server refuses to start if configured GOST provider is missing).
- Configuration:
tls.gost_enabled,tls.gost_cipher_suites.
1.2. Data-at-Rest (TDE) — Planned
Protection of data on disk (Pages, WAL, Audit Logs) using block ciphers Kuznyechik (GOST 34.12-2015) or Magma.
- Scope: Transparent Data Encryption (TDE) for storage files.
- Key Management: Integration with external KMS supporting GOST keys.
- Status: Roadmap item.
1.3. Integrity & Authentication — Future
- Hashing: Migration from SHA-256 to Streebog (GOST R 34.11-2012) for data checksums and SCRAM authentication.
- Audit Signing: Digital signature of audit logs to ensure non-repudiation.
2. Testing GOST TLS Support
This guide describes how to verify that AngaraBase is correctly using GOST cipher suites and strictly enforcing the fail-closed policy.
Prerequisites
You need a Linux environment with OpenSSL configured for GOST.
# Debian/Ubuntu
sudo apt-get install openssl libssl-dev libengines-gost
# Verify engine availability
openssl engine gost -t
# Output should contain: [gost] Reference implementation of GOST engine -> [ available ]
Step 1: Generate GOST Certificates
Standard RSA/ECDSA certificates will not work with GOST cipher suites. You must generate keys using GOST algorithms.
# 1. Generate a private key using GOST R 34.10-2012 (256 bit)
openssl genpkey -algorithm gost2012_256 -pkeyopt paramset:A -out gost_server.key
# 2. Generate a self-signed certificate
openssl req -new -x509 -days 365 \
-key gost_server.key \
-out gost_server.crt \
-subj "/CN=localhost"
# 3. Verify the certificate algorithm
openssl x509 -in gost_server.crt -text -noout | grep "Signature Algorithm"
# Expected: Signature Algorithm: GOST R 34.10-2012 with GOST R 34.11-2012 (256 bit)
Step 2: Configure AngaraBase
Enable TLS and GOST mode. Ensure allow_insecure is OFF to test strict mode.
export ANGARABASE_TLS_ENABLE=1
export ANGARABASE_TLS_CERT_PATH=$(pwd)/gost_server.crt
export ANGARABASE_TLS_KEY_PATH=$(pwd)/gost_server.key
export ANGARABASE_TLS_GOST_ENABLED=1
export ANGARABASE_TLS_GOST_CIPHER_SUITES="GOST2012-GOST8912-GOST8912"
# Start the server
./angarabase-server
Step 3: Verification (Positive Test)
Connect using a client that supports GOST (e.g., openssl s_client or a patched psql).
Using OpenSSL s_client:
openssl s_client -connect localhost:5152 -servername localhost
Verification Checklist:
- Look for
Cipher : GOST2012-GOST8912-GOST8912(or similar GOST suite) in the output. - Look for
Protocol : TLSv1.2. - Ensure the handshake completes successfully.
Using SQL (if psql supports it):
SELECT name, value FROM sys.settings WHERE name LIKE 'tls.%';
-- Verify tls.gost_enabled is 'true'
Step 4: Fail-Closed Verification (Negative Test)
Verify that the server refuses to start if the environment is broken.
- Scenario A: Missing Provider.
Temporarily disable the GOST engine (e.g., by renaming the library or changing OpenSSL config) and try to
start AngaraBase with
ANGARABASE_TLS_GOST_ENABLED=1.
- Expected Result: Server panic/exit with “GOST provider not available”.
- Scenario B: Invalid Cipher Suite.
Set
ANGARABASE_TLS_GOST_CIPHER_SUITES="INVALID-CIPHER".
- Expected Result: Server panic/exit with configuration error.
- Scenario C: RSA Certificate with GOST Ciphers.
Try to start with
ANGARABASE_TLS_GOST_ENABLED=1but provide standard RSA certificates.
- Expected Result: Handshake failures (OpenSSL error: “no shared cipher” or “wrong signature type”).
3. Troubleshooting
| Symptom | Probable Cause | Fix |
|---|---|---|
no shared cipher | Client does not support GOST or Server has RSA certs. | Install libengines-gost on client; Use GOST certs on server. |
wrong signature type | Certificate key type mismatch. | Ensure gost2012_256 is used for key generation. |
| Server fails to start | openssl.cnf not configured for GOST. | Run openssl engine gost -t to verify system setup. |
Next steps
Once you have determined which GOST scenarios you need:
- GOST crypto setup — step-by-step installation of the cryptographic provider and profile switching.
- Encryption (TDE + client) — general contract for TDE and client encryption.
- Audit — how to close GOST signatures on the audit-chain.
- Hardening runbook — final checklist before production.