Hi folks
It might save people some time and hassle if the PgJDBC docs referenced:
http://java.sun.com/j2se/1.5.0/docs/guide/security/jsse/JSSERefGuide.html
where custom SSLSocketFactory implementations are discussed. It's quite
trivial to provide app-specific keystores and cert stores using
runtime-set java properties, to import user-supplied PKCS#12 certs for
client certificate use, etc, but only if you know where to look. The
JavaDoc for the JSSE API is ... lacking ... so references to good
starting points would really help.
It makes me uncomfortable that the only SSLSocketFactory provided by
Pg's JDBC Driver at the moment just disables server certificate
checking. If I get the chance I'll try to supply one that loads a
PKCS#12 client certificate, uses that for authentication, and uses the
certs from that and/or the standard Java cacerts to verify the server's
identity. I had an implementation earlier, but it turned out to
duplicate much of what the Java APIs do (once you know where to look) so
I'll be sending a greatly simplified single-class version for inclusion
in PgJDBC in a while.
In the mean time, adding some docs refs would IMO significantly improve
usability of the PgJDBC SSL features and help reduce the number of
people who just say "stuff it, I'll disable cert validation since that's
easy".
--
Craig Ringer
Tech-related writing: http://soapyfrogs.blogspot.com/