| From: | Marc-André Laverdière <marc-andre(at)atc(dot)tcs(dot)com> |
|---|---|
| To: | Craig Ringer <craig(at)postnewspapers(dot)com(dot)au> |
| Cc: | Kris Jurka <books(at)ejurka(dot)com>, pgsql-jdbc(at)postgresql(dot)org |
| Subject: | Re: Support for cert auth in JDBC |
| Date: | 2011-06-27 06:18:12 |
| Message-ID: | 4E0820A4.3090004@atc.tcs.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-jdbc |
Hello everybody,
I haven't heard back about this testing... did anyone get time to do it?
Marc-André Laverdière
Software Security Scientist
Innovation Labs, Tata Consultancy Services
Hyderabad, India
On 05/25/2011 07:09 AM, Craig Ringer wrote:
> On 25/05/11 00:27, Kris Jurka wrote:
>>
>>
>> On Tue, 24 May 2011, Marc-Andr? Laverdi?re wrote:
>>
>>> It is not over... It is not in the CVS repository yet :D
>>>
>>> What would be the next step?
>>
>> It was not clear to me that the discussion between you and Craig had
>> resulted in a final code version. Apparently you think so. Craig do
>> you concur?
>
> I'm happy with the state of the code, but should really test it properly
> before signing off on that. In particular, I need to test PKCS#12 cert
> files and test a JECKS keystore containing multiple keys only one of
> which is valid to access Pg.
>
> On the other hand, I'm swamped at the moment and unsure if I'll get to
> that in a reasonable amount of time. The tests Marc-André wrote
> demonstrate the core functionality pretty well, and the code would be
> good to get into the official codebase to save others from duplicating
> the same work over and over as both Marc-André and I have each done already.
>
> Argh. I'm going to have to come back to that, as I have a backup server
> to fix. Maybe it's best if you have a look and see what you think of it,
> while I try to find some time to do some more testing.
>
>> Perhaps some documentation updates
>> would be in order, but I haven't looked at the code yet to know what
>> might be appropriate.
>
> Some documentation updates are definitely in order, to sit alongside the
> existing documentation for the non-validating ssl factory.
>
>
> By the way, I _do_ think it'd be useful to add support for constructing
> the socket factory with:
>
> FactoryClass(String arg, Properties jdbcProperties)
>
> ... where the properties argument contains all the Pg JDBC properties
> like the user name and password. It'd make it easier for apps to pass
> custom args into a socket factory, especially things like the password
> to the user's private key that they don't want to have to put in the
> sslocketfactoryarg string.
>
> I could also then produce a second version of the cert factory for
> people to use that got all its settings from the jdbc connection
> properties instead of the sytem properties.
>
> I wouldn't suggest adding that now, though, but maybe as a revision once
> the working code is already committed.
>
> --
> Craig Ringer
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Craig Ringer | 2011-06-27 08:03:11 | Re: Support for cert auth in JDBC |
| Previous Message | Andreas Schmitz | 2011-06-23 10:06:16 | Re: bytea performance tweak |