Re: Support for cert auth in JDBC

Hello,

This implementations allows to specify which keystore and which
truststore to load. This allows certificate authentication in the
application easily.

In the official documentation, it says:

<quote>
Custom SSLSocketFactory

PostgreSQL™ provides a way for developers to customize how a SSL
connection is established. This may be used to provide a custom
certificate source or other extensions by allowing the developer to
create their own SSLContext instance. The connection URL parameters
sslfactory and sslfactoryarg allow the user to specify which custom
class to use for creating the SSLSocketFactory. The class name specified
by sslfactory must extend javax.net.ssl.SSLSocketFactory and be
available to the driver's classloader. This class must have a zero
argument constructor or a single argument constructor taking a String
argument. This argument may optionally be supplied by sslfactoryarg.

Information on how to actually implement such a class is beyond the
scope of this documentation. Places to look for help are the JSSE
Reference Guide and the source to the NonValidatingFactory provided by
the JDBC driver.

The Java SSL API is not very well known to the JDBC driver developers
and we would be interested in any interesting and generally useful
extensions that you have implemented using this mechanism. Specifically
it would be nice to be able to provide client certificates to be
validated by the server.
</quote>

What I'm talking about is this factory referred to in the last paragraph.

Marc-André Laverdière
Software Security Scientist
Innovation Labs, Tata Consultancy Services
Hyderabad, India

On Wednesday 18 May 2011 11:10 AM, Craig Ringer wrote:
> On 18/05/2011 12:49 PM, Marc-André Laverdière wrote:
>> [I posted this by mistake to the main dev mailing list... apologies if
>> you got this multiple times]
>>
>> Hello developers,
>>
>> My project had a requirement to use certificate authentication to the PG
>> server. Our application uses Hibernate.
>>
>> We did just that and my boss has OKed a source release.
>
> Eh? Did what?
>
> PgJDBC supports X.509 client certificates just fine.
>
> What did you need to do? To which PgJDBC version did you do it? To
> resolve what perceived issue(s) in the current codebase?
>