Skip site navigation (1) Skip section navigation (2)

Re: PostgreSQL + SSL - sun.security.validator.ValidatorException

From: Andrew M <andrew(at)jibeya(dot)com>
To: John R Pierce <pierce(at)hogranch(dot)com>
Cc: pgsql-jdbc(at)postgresql(dot)org, Kris Jurka <books(at)ejurka(dot)com>
Subject: Re: PostgreSQL + SSL - sun.security.validator.ValidatorException
Date: 2004-12-11 10:20:20
Message-ID: 431C280A-4B5E-11D9-A341-0003938366A4@jibeya.com (view raw or flat)
Thread:
Lists: pgsql-jdbc
Hi,
I have found out how the client certificates are returned to the 
server. In the docs:

PostgreSQL 8.0.0beta5 Documentation
Chapter 27. libpq - C Library
27.13. SSL Support

'PostgreSQL has native support for using  SSL connections to encrypt 
client/server communications  for increased security. See Section 16.7 
for details  about the server-side SSL functionality.

  If the server demands a client certificate,  libpq  will send the 
certificate stored in file  .postgresql/postgresql.crt within the 
user's home directory.  A matching private key file 
.postgresql/postgresql.key  must also be present, and must not be 
world-readable.

  If the file .postgresql/root.crt is present in the user's  home 
directory,  libpq will use the certificate list stored  therein to 
verify the server's certificate. The SSL connection will  fail if the 
server does not present a certificate; therefore, to  use this feature 
the server must also have a root.crt file.'


The only problem with this is, how do you copy an openssl {key|crt} 
pair into a keytool keystore? Importing the crt into a keystore is not 
a problem as long as the crt is in x509 format, but the key poses a 
problem as the x509 format only handles trusted certificates.

If you start from the other side, the keystore side and generate a 
certificate, a {key|crt} is automatically created in the keystore. You 
will then have access to the certificate as it is public but the key is 
private and cannot, as far a i'm aware, be exported from a keystore.

Any ideas? If anybody knows this, please let me know.

Andrew

On 11 Dec 2004, at 08:11, John R Pierce wrote:

>> It uses specific files relative to the user's $HOME directory.  I 
>> don't think this translates well into Java and I'm unsure what code 
>> would be needed on the driver side to set this up.  It would be great 
>> if someone more Java+SSL knowledgeable could point us in the right 
>> direction here.
>
> if the jdbc driver is using J2SE 1.4 style SecureSockets, then the 
> certificate store is in ${JAVA_HOME}/lib/security  
> (%JAVA_HOME%\lib\security on Windows)
>
> there is a keytool command in J2SE to manipuate and generate these 
> keys.
> http://java.sun.com/j2se/1.4.2/docs/tooldocs/windows/keytool.html
>
>
> ---------------------------(end of 
> broadcast)---------------------------
> TIP 9: the planner will ignore your desire to choose an index scan if 
> your
>      joining column's datatypes do not match
>

In response to

Responses

pgsql-jdbc by date

Next:From: Kris JurkaDate: 2004-12-11 12:33:41
Subject: Re: PostgreSQL + SSL - sun.security.validator.ValidatorException
Previous:From: Kris JurkaDate: 2004-12-11 08:22:55
Subject: Re: PostgreSQL + SSL - sun.security.validator.ValidatorException

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group