Skip site navigation (1) Skip section navigation (2)

Re: SSL support for javax.sql.DataSource

From: "Albe Laurenz" <all(at)adv(dot)magwien(dot)gv(dot)at>
To: "Kris Jurka *EXTERN*" <books(at)ejurka(dot)com>
Cc: <pgsql-jdbc(at)postgresql(dot)org>
Subject: Re: SSL support for javax.sql.DataSource
Date: 2007-07-25 11:49:57
Message-ID: AFCCBB403D7E7A4581E48F20AF3E5DB203F8BBD4@EXADV1.host.magwien.gv.at (view raw or flat)
Thread:
Lists: pgsql-jdbc
Kris Jurka wrote:
>> Should I go ahead and write a patch against CVS HEAD, including
>> sslfactory? I guess I should write a patch or the documentation too
>> then.
>
> Yes, please.

I have attached the patch, the documentation change is included.

I could not test if the documentation change is ok because I
cannot build the documentation
(I get a javax.xml.transform.TransformerException:
  java.lang.ArrayIndexOutOfBoundsException: -1
from xslt).

>> I believe that
>> SSL without certificate validation would be a good default
>> because this is the way it is done everywhere else in PostgreSQL.
> 
> One of the ideas that Oliver had was to make the ssl parameter take a
> String value so you could say things like ssl=try or ssl=require or
> ssl=none.
> [...] We could do that and add ssl=validate or ssl=novalidate.
> That would make it easier for people to change the validation
> setting without getting into the details of sslfactory.
> I didn't think ssl=try was a real useful setting
> so resisted the idea at the time, but now that there are more 
> interesting options perhaps we should give the idea another look.

The most intuitive setting for people used to libpq would be
ssl=disable/allow/prefer/require, with "prefer" or maybe "allow"
as default.

I think that certificate validation is orthogonal to that, it
can go with either of the above, so it had better be another property,
which means one might as well use "sslfactory" as it is now...

I will be on vacations from July 28 to August 10, so I cannot respond
during that time if there is a problem with my patch.

Yours,
Laurenz Albe


Attachment: DataSource_ssl.patch
Description: application/octet-stream (4.5 KB)

In response to

Responses

pgsql-jdbc by date

Next:From: Douglas HammondDate: 2007-07-25 15:02:21
Subject: defaultAutoCommit problem with glassfish
Previous:From: Heikki LinnakangasDate: 2007-07-25 09:54:43
Subject: Re: problem with date_trunc and jdbc

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group