| From: | Craig Ringer <craig(at)postnewspapers(dot)com(dot)au> |
|---|---|
| To: | Jeffrey Baker <jwbaker(at)gmail(dot)com> |
| Cc: | pgsql-jdbc(at)postgresql(dot)org |
| Subject: | Re: JDBC SSL with postgresql |
| Date: | 2010-06-03 02:26:46 |
| Message-ID: | 4C0712E6.1050002@postnewspapers.com.au |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-jdbc |
On 3/06/2010 8:46 AM, Jeffrey Baker wrote:
> I was interested in this[1] work on SSL client certs for JDBC, but I
> see the author stopped working on your project. I hope the list can
> give me a quick clue, because i've been banging my head against this
> all day.
>
> 1: http://github.com/ringerc/pkcs12provider
I stopped working on it because it's unnecessary if Java is configured
correctly using the standard, built-in SSLSocketFactory and the system
properties controlling it, as documented in the README in that directory.
Unfortunately, that's only true with current Pg server versions if the
same root signed the server and client certificates, or if you have only
one client cert installed in your KeyStore. Otherwise, Java doesn't know
which client cert to send.
> truststore has only my self-signed root CA cert. keystore has the
> root CA cert and my signed client certificate. Using a trivial JDBC
> test class and this command line:
>
> java -cp /usr/share/java/postgresql.jar:.
> -Djavax.net.ssl.keyStore=./keystore
> -Djavax.net.ssl.trustStore=./truststore TestJdbc
>
> I get this exception:
>
> Exception in thread "main" org.postgresql.util.PSQLException: FATAL:
> connection requires a valid client certificate
This code (attached) might help you out. I've been meaning to push it to
gitgub.
> Which is half good, because I know that it's validating the trust
> chain from the server to the root CA, but half bad because it's not
> sending the client cert. I know it's opening the keystore with my
> client cert in it, because I verified it with strace.
>
> Do I need to use a SSL socket factory class to make this work, or is
> it supposed to work out of the box and if so how?
You'll need a custom SSLSocketFactory (like the one included in
PgClientCertDemo) if you want to target current 8.x versions reliably.
Make it configurable, though, because with 9.x Pg versions you won't
need it, and using a custom SSLSocketFactory makes it practically
impossible for the user to use PKCS#11 hardware keys and the like.
--
Craig Ringer
| Attachment | Content-Type | Size |
|---|---|---|
| PgClientCertDemo.zip | application/x-zip-compressed | 10.3 KB |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Craig Ringer | 2010-06-03 02:43:13 | Re: JDBC SSL with postgresql |
| Previous Message | Craig Ringer | 2010-06-03 02:19:33 | Re: jdbc works in java app, fails in servlet: "no suitable jdbc found" |