Re: JDBC SSL with postgresql

On Wed, Jun 2, 2010 at 7:26 PM, Craig Ringer
<craig(at)postnewspapers(dot)com(dot)au> wrote:
> On 3/06/2010 8:46 AM, Jeffrey Baker wrote:
>>
>> I was interested in this[1] work on SSL client certs for JDBC, but I
>> see the author stopped working on your project.  I hope the list can
>> give me a quick clue, because i've been banging my head against this
>> all day.
>>
>> 1: http://github.com/ringerc/pkcs12provider
>
> I stopped working on it because it's unnecessary if Java is configured
> correctly using the standard, built-in SSLSocketFactory and the system
> properties controlling it, as documented in the README in that directory.
>
> Unfortunately, that's only true with current Pg server versions if the same
> root signed the server and client certificates, or if you have only one
> client cert installed in your KeyStore. Otherwise, Java doesn't know which
> client cert to send.

Thanks for the info.

I have complete control of both ends, and both the server and client
are signed by my self-signed root cert. I think perhaps the problem
here is that I'm trying to tackle the entire Java SSL infrastructure
in one go; I knew nothing about it this morning. I read somewhere
that the keystore has to include both the client cert and the root
cert that signed it. Is that not true? I've tried it both ways:
added root cert, then added client cert (this is the way it's
documented in the keytool manual page, the way I interpret it), and
only adding the client cert to the keystore. It doesn't seem to work
either way.

> This code (attached) might help you out. I've been meaning to push it to
> gitgub.

Thanks again, these classes do seem like they would solve the problem,
if I can't figure out the standard way of doing things.

>> Which is half good, because I know that it's validating the trust
>> chain from the server to the root CA, but half bad because it's not
>> sending the client cert.  I know it's opening the keystore with my
>> client cert in it, because I verified it with strace.
>>
>> Do I need to use a SSL socket factory class to make this work, or is
>> it supposed to work out of the box and if so how?
>
> You'll need a custom SSLSocketFactory (like the one included in
> PgClientCertDemo) if you want to target current 8.x versions reliably. Make
> it configurable, though, because with 9.x Pg versions you won't need it, and
> using a custom SSLSocketFactory makes it practically impossible for the user
> to use PKCS#11 hardware keys and the like.

Not a requirement in this project. I want to distribute a WAR file to
a third party "cloud" that can access my database, and I want to use
client certs that expire in one day rather than distributing
passwords. Smart cards and whatnot would be slick for users but don't
really apply in virtuality.

-jwb