Re: PostgreSQL + SSL - sun.security.validator.ValidatorException - Mailing list pgsql-jdbc
From | Andrew M |
---|---|
Subject | Re: PostgreSQL + SSL - sun.security.validator.ValidatorException |
Date | |
Msg-id | 431C280A-4B5E-11D9-A341-0003938366A4@jibeya.com Whole thread Raw |
In response to | Re: PostgreSQL + SSL - sun.security.validator.ValidatorException (John R Pierce <pierce@hogranch.com>) |
Responses |
Re: PostgreSQL + SSL - sun.security.validator.ValidatorException
Re: PostgreSQL + SSL - sun.security.validator.ValidatorException |
List | pgsql-jdbc |
Hi, I have found out how the client certificates are returned to the server. In the docs: <bold><x-tad-smaller>PostgreSQL 8.0.0beta5 Documentation Chapter 27. libpq - C Library 27.13. SSL Support</x-tad-smaller></bold><x-tad-smaller> </x-tad-smaller><bold><x-tad-smaller>'PostgreSQL has native support for using SSL connections to encrypt client/server communications for increased security. See Section 16.7 for details about the server-side SSL functionality. If the server demands a client certificate, libpq will send the certificate stored in file .postgresql/postgresql.crt within the user's home directory. A matching private key file .postgresql/postgresql.key must also be present, and must not be world-readable. If the file .postgresql/root.crt is present in the user's home directory, libpq will use the certificate list stored therein to verify the server's certificate. The SSL connection will fail if the server does not present a certificate; therefore, to use this feature the server must also have a root.crt file.' </x-tad-smaller> </bold> The only problem with this is, how do you copy an openssl {key|crt} pair into a keytool keystore? Importing the crt into a keystore is not a problem as long as the crt is in x509 format, but the key poses a problem as the x509 format only handles trusted certificates. If you start from the other side, the keystore side and generate a certificate, a {key|crt} is automatically created in the keystore. You will then have access to the certificate as it is public but the key is private and cannot, as far a i'm aware, be exported from a keystore. Any ideas? If anybody knows this, please let me know. Andrew On 11 Dec 2004, at 08:11, John R Pierce wrote: <excerpt><excerpt>It uses specific files relative to the user's $HOME directory. I don't think this translates well into Java and I'm unsure what code would be needed on the driver side to set this up. It would be great if someone more Java+SSL knowledgeable could point us in the right direction here. </excerpt> if the jdbc driver is using J2SE 1.4 style SecureSockets, then the certificate store is in ${JAVA_HOME}/lib/security (%JAVA_HOME%\lib\security on Windows) there is a keytool command in J2SE to manipuate and generate these keys. http://java.sun.com/j2se/1.4.2/docs/tooldocs/windows/keytool.html ---------------------------(end of broadcast)--------------------------- TIP 9: the planner will ignore your desire to choose an index scan if your joining column's datatypes do not match </excerpt> Hi, I have found out how the client certificates are returned to the server. In the docs: PostgreSQL 8.0.0beta5 Documentation Chapter 27. libpq - C Library 27.13. SSL Support 'PostgreSQL has native support for using SSL connections to encrypt client/server communications for increased security. See Section 16.7 for details about the server-side SSL functionality. If the server demands a client certificate, libpq will send the certificate stored in file .postgresql/postgresql.crt within the user's home directory. A matching private key file .postgresql/postgresql.key must also be present, and must not be world-readable. If the file .postgresql/root.crt is present in the user's home directory, libpq will use the certificate list stored therein to verify the server's certificate. The SSL connection will fail if the server does not present a certificate; therefore, to use this feature the server must also have a root.crt file.' The only problem with this is, how do you copy an openssl {key|crt} pair into a keytool keystore? Importing the crt into a keystore is not a problem as long as the crt is in x509 format, but the key poses a problem as the x509 format only handles trusted certificates. If you start from the other side, the keystore side and generate a certificate, a {key|crt} is automatically created in the keystore. You will then have access to the certificate as it is public but the key is private and cannot, as far a i'm aware, be exported from a keystore. Any ideas? If anybody knows this, please let me know. Andrew On 11 Dec 2004, at 08:11, John R Pierce wrote: >> It uses specific files relative to the user's $HOME directory. I >> don't think this translates well into Java and I'm unsure what code >> would be needed on the driver side to set this up. It would be great >> if someone more Java+SSL knowledgeable could point us in the right >> direction here. > > if the jdbc driver is using J2SE 1.4 style SecureSockets, then the > certificate store is in ${JAVA_HOME}/lib/security > (%JAVA_HOME%\lib\security on Windows) > > there is a keytool command in J2SE to manipuate and generate these > keys. > http://java.sun.com/j2se/1.4.2/docs/tooldocs/windows/keytool.html > > > ---------------------------(end of > broadcast)--------------------------- > TIP 9: the planner will ignore your desire to choose an index scan if > your > joining column's datatypes do not match >
pgsql-jdbc by date: