Re: JDBC SSL with postgresql - Mailing list pgsql-jdbc
| From | Jeffrey Baker |
|---|---|
| Subject | Re: JDBC SSL with postgresql |
| Date | |
| Msg-id | AANLkTilbzeXwef87Z9xv6OqTy3gtUjAWhLrBs9U0IKPe@mail.gmail.com Whole thread Raw |
| In response to | Re: JDBC SSL with postgresql (Craig Ringer <craig@postnewspapers.com.au>) |
| Responses |
Re: JDBC SSL with postgresql
|
| List | pgsql-jdbc |
On Wed, Jun 2, 2010 at 7:26 PM, Craig Ringer <craig@postnewspapers.com.au> wrote: > On 3/06/2010 8:46 AM, Jeffrey Baker wrote: >> >> I was interested in this[1] work on SSL client certs for JDBC, but I >> see the author stopped working on your project. I hope the list can >> give me a quick clue, because i've been banging my head against this >> all day. >> >> 1: http://github.com/ringerc/pkcs12provider > > I stopped working on it because it's unnecessary if Java is configured > correctly using the standard, built-in SSLSocketFactory and the system > properties controlling it, as documented in the README in that directory. > > Unfortunately, that's only true with current Pg server versions if the same > root signed the server and client certificates, or if you have only one > client cert installed in your KeyStore. Otherwise, Java doesn't know which > client cert to send. Thanks for the info. I have complete control of both ends, and both the server and client are signed by my self-signed root cert. I think perhaps the problem here is that I'm trying to tackle the entire Java SSL infrastructure in one go; I knew nothing about it this morning. I read somewhere that the keystore has to include both the client cert and the root cert that signed it. Is that not true? I've tried it both ways: added root cert, then added client cert (this is the way it's documented in the keytool manual page, the way I interpret it), and only adding the client cert to the keystore. It doesn't seem to work either way. > This code (attached) might help you out. I've been meaning to push it to > gitgub. Thanks again, these classes do seem like they would solve the problem, if I can't figure out the standard way of doing things. >> Which is half good, because I know that it's validating the trust >> chain from the server to the root CA, but half bad because it's not >> sending the client cert. I know it's opening the keystore with my >> client cert in it, because I verified it with strace. >> >> Do I need to use a SSL socket factory class to make this work, or is >> it supposed to work out of the box and if so how? > > You'll need a custom SSLSocketFactory (like the one included in > PgClientCertDemo) if you want to target current 8.x versions reliably. Make > it configurable, though, because with 9.x Pg versions you won't need it, and > using a custom SSLSocketFactory makes it practically impossible for the user > to use PKCS#11 hardware keys and the like. Not a requirement in this project. I want to distribute a WAR file to a third party "cloud" that can access my database, and I want to use client certs that expire in one day rather than distributing passwords. Smart cards and whatnot would be slick for users but don't really apply in virtuality. -jwb
pgsql-jdbc by date: