Skip site navigation (1) Skip section navigation (2)

Re: How to ensure that SSL is enabled?

From: Craig Ringer <craig(at)postnewspapers(dot)com(dot)au>
To: Eric Jain <eric(dot)jain(at)gmail(dot)com>
Cc: pgsql-jdbc(at)postgresql(dot)org
Subject: Re: How to ensure that SSL is enabled?
Date: 2009-10-20 03:45:32
Message-ID: 1256010332.6437.74.camel@wallace.localnet (view raw or flat)
Thread:
Lists: pgsql-jdbc
On Mon, 2009-10-19 at 17:31 -0700, Eric Jain wrote:

> I've appended ?ssl=true&sslfactory=org.postgresql.ssl.NonValidatingFactory
> to the connection URL, but (looking at the network traffic) no
> encryption appears to be done. Shouldn't the connection fail if no SSL
> connection can be established? It's possible that the server isn't set
> up properly; is there a simple way to test that (e.g. verify that the
> server was compiled with SSL support etc)?
> 


It looks like on the JDBC side is mostly handled via custom SSLFactory
classes. There's been discussion of making the "ssl" param take a string
value, allowing more control over behaviour:

http://archives.free.net.ph/message/20070706.205109.cdd3ca05.en.html

... but I don't know if much ever came of it.

Personally, I handle this on the server side in pg_hba.conf . For
Internet users (0.0.0.0/0 IP/mask), I use "hostssl" entries rather than
simple "host" entries, so the pg_hba.conf entry only matches for SSL
connections. If they're not using SSL, the server won't let them try
password auth because there's no pg_hba.conf entry that'd permit them to
do so.

eg:

    hostssl    somedatabase    all    0.0.0.0/0    md5

--
Craig Ringer

In response to

Responses

pgsql-jdbc by date

Next:From: David WallDate: 2009-10-20 16:05:27
Subject: JDBC with PG 8.4 bytea character escaping wire protocol
Previous:From: Eric JainDate: 2009-10-20 00:31:31
Subject: How to ensure that SSL is enabled?

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group