| From: | Craig Ringer <craig(at)postnewspapers(dot)com(dot)au> |
|---|---|
| To: | Eric Jain <eric(dot)jain(at)gmail(dot)com> |
| Cc: | pgsql-jdbc(at)postgresql(dot)org |
| Subject: | Re: How to ensure that SSL is enabled? |
| Date: | 2009-10-20 03:45:32 |
| Message-ID: | 1256010332.6437.74.camel@wallace.localnet |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-jdbc |
On Mon, 2009-10-19 at 17:31 -0700, Eric Jain wrote:
> I've appended ?ssl=true&sslfactory=org.postgresql.ssl.NonValidatingFactory
> to the connection URL, but (looking at the network traffic) no
> encryption appears to be done. Shouldn't the connection fail if no SSL
> connection can be established? It's possible that the server isn't set
> up properly; is there a simple way to test that (e.g. verify that the
> server was compiled with SSL support etc)?
>
It looks like on the JDBC side is mostly handled via custom SSLFactory
classes. There's been discussion of making the "ssl" param take a string
value, allowing more control over behaviour:
http://archives.free.net.ph/message/20070706.205109.cdd3ca05.en.html
... but I don't know if much ever came of it.
Personally, I handle this on the server side in pg_hba.conf . For
Internet users (0.0.0.0/0 IP/mask), I use "hostssl" entries rather than
simple "host" entries, so the pg_hba.conf entry only matches for SSL
connections. If they're not using SSL, the server won't let them try
password auth because there's no pg_hba.conf entry that'd permit them to
do so.
eg:
hostssl somedatabase all 0.0.0.0/0 md5
--
Craig Ringer
| From | Date | Subject | |
|---|---|---|---|
| Next Message | David Wall | 2009-10-20 16:05:27 | JDBC with PG 8.4 bytea character escaping wire protocol |
| Previous Message | Eric Jain | 2009-10-20 00:31:31 | How to ensure that SSL is enabled? |