Postgres Pro
Downloads
Home   >   mailing lists

Thread: [pgjdbc/pgjdbc] cdeeac: security: implement SSL hostname verificationfor ...

[pgjdbc/pgjdbc] cdeeac: security: implement SSL hostname verificationfor ...

From
Vladimir Sitnikov
Date:
Branch: refs/heads/master
  Home:   https://github.com/pgjdbc/pgjdbc
  Commit: cdeeaca47dc3bc6f727c79a582c9e4123099526e
      https://github.com/pgjdbc/pgjdbc/commit/cdeeaca47dc3bc6f727c79a582c9e4123099526e
  Author: Vladimir Sitnikov <sitnikov.vladimir@gmail.com>
  Date:   2018-08-27 (Mon, 27 Aug 2018)

  Changed paths:
    M .travis/travis_configure_ssl.sh
    M README.md
    M build.properties
    R certdir/README
    A certdir/README.md
    M docs/documentation/head/connect.md
    M pgjdbc/src/main/java/org/postgresql/PGProperty.java
    M pgjdbc/src/main/java/org/postgresql/core/PGStream.java
    M pgjdbc/src/main/java/org/postgresql/core/SocketFactoryFactory.java
    M pgjdbc/src/main/java/org/postgresql/core/v3/ConnectionFactoryImpl.java
    M pgjdbc/src/main/java/org/postgresql/core/v3/QueryExecutorImpl.java
    A pgjdbc/src/main/java/org/postgresql/jdbc/SslMode.java
    A pgjdbc/src/main/java/org/postgresql/ssl/DefaultJavaSSLFactory.java
    A pgjdbc/src/main/java/org/postgresql/ssl/LazyKeyManager.java
    A pgjdbc/src/main/java/org/postgresql/ssl/LibPQFactory.java
    M pgjdbc/src/main/java/org/postgresql/ssl/MakeSSL.java
    A pgjdbc/src/main/java/org/postgresql/ssl/PGjdbcHostnameVerifier.java
    R pgjdbc/src/main/java/org/postgresql/ssl/jdbc4/LazyKeyManager.java
    M pgjdbc/src/main/java/org/postgresql/ssl/jdbc4/LibPQFactory.java
    M pgjdbc/src/main/java/org/postgresql/util/ObjectFactory.java
    M pgjdbc/src/test/java/org/postgresql/test/TestUtil.java
    M pgjdbc/src/test/java/org/postgresql/test/jdbc2/NotifyTest.java
    M pgjdbc/src/test/java/org/postgresql/test/jdbc4/Jdbc4TestSuite.java
    R pgjdbc/src/test/java/org/postgresql/test/jdbc4/LibPQFactoryHostNameTest.java
    A pgjdbc/src/test/java/org/postgresql/test/ssl/CommonNameVerifierTest.java
    A pgjdbc/src/test/java/org/postgresql/test/ssl/LibPQFactoryHostNameTest.java
    M pgjdbc/src/test/java/org/postgresql/test/ssl/SslTest.java
    M pgjdbc/src/test/java/org/postgresql/test/ssl/SslTestSuite.java
    M ssltest.properties

  Log Message:
  -----------
  security: implement SSL hostname verification for non-default (LibPQFactory) SSL factories (CVE-2018-10936)

In order to configure full SLL verification, `sslmode=verify-full` should be used.
However, previous versions of pgjdbc missed hostname verification for non-default SSL factories,
so `sslmode=verify-full` was effectively the same as `sslmode=verify-ca`.

Default sslfactory (which is LibPQFactory) is not impacted.

Extra changes:
- support for sslmode=allow/prefer/require
- ssl=true is treated as verify-full
- sslfactoryarg and socketFactoryArg are deprecated (as constructors with Properties) can be used.


  Commit: fa032732acfe51c6e663ee646dd5c1beaa1af857
      https://github.com/pgjdbc/pgjdbc/commit/fa032732acfe51c6e663ee646dd5c1beaa1af857
  Author: Dave Cramer <davecramer@gmail.com>
  Date:   2018-08-27 (Mon, 27 Aug 2018)

  Changed paths:
    M docs/documentation/head/connect.md
    M docs/documentation/head/media/css/table.css
    M docs/documentation/head/ssl-client.md
    M docs/documentation/head/ssl-factory.md

  Log Message:
  -----------
  docs: improve documentation on SSL


  Commit: 237a89bf3058a16a3de37b8c92d2a4d850c6c056
      https://github.com/pgjdbc/pgjdbc/commit/237a89bf3058a16a3de37b8c92d2a4d850c6c056
  Author: Vladimir Sitnikov <sitnikov.vladimir@gmail.com>
  Date:   2018-08-27 (Mon, 27 Aug 2018)

  Changed paths:
    M CHANGELOG.md

  Log Message:
  -----------
  Update changelog for 42.2.5


  Commit: c8a639edbd0cf39453048f1fd7d9412ec8e09293
      https://github.com/pgjdbc/pgjdbc/commit/c8a639edbd0cf39453048f1fd7d9412ec8e09293
  Author: Vladimir Sitnikov <sitnikov.vladimir@gmail.com>
  Date:   2018-08-27 (Mon, 27 Aug 2018)

  Changed paths:
    M CHANGELOG.md
    M contributors.json
    A docs/_posts/2018-08-27-42.2.5-release.md

  Log Message:
  -----------
  docs: update site for 42.2.5


Compare: https://github.com/pgjdbc/pgjdbc/compare/c2885dd0cfc7...c8a639edbd0c
      **NOTE:** This service has been marked for deprecation:
https://developer.github.com/changes/2018-04-25-github-services-deprecation/

      Functionality will be removed from GitHub.com on January 31st, 2019.