Skip site navigation (1) Skip section navigation (2)

Re: JDBC SSL with postgresql

From: Craig Ringer <craig(at)postnewspapers(dot)com(dot)au>
To: Jeffrey Baker <jwbaker(at)gmail(dot)com>
Cc: pgsql-jdbc(at)postgresql(dot)org
Subject: Re: JDBC SSL with postgresql
Date: 2010-06-03 02:43:13
Message-ID: 4C0716C1.9070009@postnewspapers.com.au (view raw or flat)
Thread:
Lists: pgsql-jdbc
On 3/06/2010 8:46 AM, Jeffrey Baker wrote:
> I was interested in this[1] work on SSL client certs for JDBC, but I
> see the author stopped working on your project.  I hope the list can
> give me a quick clue, because i've been banging my head against this
> all day.
>
> 1: http://github.com/ringerc/pkcs12provider

I stopped working on it because it's unnecessary if Java is configured 
correctly using the standard, built-in SSLSocketFactory and the system 
properties controlling it, as documented in the README in that directory.

Unfortunately, that's only true with current Pg server versions if the 
same root signed the server and client certificates, or if you have only 
one client cert installed in your KeyStore. Otherwise, Java doesn't know 
which client cert to send.

> truststore has only my self-signed root CA cert.  keystore has the
> root CA cert and my signed client certificate.  Using a trivial JDBC
> test class and this command line:
>
> java -cp /usr/share/java/postgresql.jar:.
> -Djavax.net.ssl.keyStore=./keystore
> -Djavax.net.ssl.trustStore=./truststore TestJdbc
>
> I get this exception:
>
> Exception in thread "main" org.postgresql.util.PSQLException: FATAL:
> connection requires a valid client certificate

This code might help you out. I've been meaning to push it to gitgub.

Sources:
   http://www.postnewspapers.com.au/~craig/PgClientCertDemo.zip
Executable:
   http://www.postnewspapers.com.au/~craig/PgClientCertDemo.jar

> Which is half good, because I know that it's validating the trust
> chain from the server to the root CA, but half bad because it's not
> sending the client cert.  I know it's opening the keystore with my
> client cert in it, because I verified it with strace.
>
> Do I need to use a SSL socket factory class to make this work, or is
> it supposed to work out of the box and if so how?

You'll need a custom SSLSocketFactory (like the one included in 
PgClientCertDemo) if you want to target current 8.x versions reliably. 
Make it configurable, though, because with 9.x Pg versions you won't 
need it, and using a custom SSLSocketFactory makes it practically 
impossible for the user to use PKCS#11 hardware keys and the like.

--
Craig Ringer


In response to

pgsql-jdbc by date

Next:From: Jeffrey BakerDate: 2010-06-03 03:06:35
Subject: Re: JDBC SSL with postgresql
Previous:From: Craig RingerDate: 2010-06-03 02:26:46
Subject: Re: JDBC SSL with postgresql

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group