Greetings,
I found an issue with JDBC driver postgresql-9.4.1207.jre7 involving SSL connections.
First the context. In order to enforce TLSv1.2 connection, i extend the PostgreSQL driver in order to set properties by default :
public class SecurePostgresqlDriver extends Driver {
@Override
public Connection connect(String url, Properties info) throws SQLException {
info.setProperty(PGProperty.SSL.getName(), "true");
info.setProperty(PGProperty.SSL_FACTORY.getName(), SecurePostgresqlSocketFactory.class.getCanonicalName());
return super.connect(url, info);
}
}
But this leads me to an exception:
org.postgresql.util.PSQLException: FATAL: no pg_hba.conf entry for host "127.0.0.1", user "xxx", database "xxx", SSL off
at org.postgresql.core.v3.ConnectionFactoryImpl.doAuthentication(ConnectionFactoryImpl.java:427)
at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:203)
at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:65)
at org.postgresql.jdbc.PgConnection.<init>(PgConnection.java:159)
at org.postgresql.Driver.makeConnection(Driver.java:415)
at org.postgresql.Driver.connect(Driver.java:283)
at SecurePostgresqlDriver.connect(SecurePostgresqlDriver.java:21)
For the note, using the default org.postgresql.Driver class and adding "?ssl=true&sslfactory=SecurePostgresqlSocketFactory" at the end of the URL works.
I did a little debbuging, and this is what i found.
- org.postgresql.Driver.connect(String, Properties) calls the parseURL(String, Properties) method at line 264, which creates a new Properties instance with the paramater one as default (Driver :537)
- This new instance overrides the original one on this same line. So from now on my SSL and SSL_FACTORY are default properties of the current one. If the parameters were passed through URL, they would be actual properties rather than default ones.
- This instance is passed to the PgConnection, which passes it to the ConnectionFactory, which passes it to the ConnectionFactoryImpl.
- org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(HostSpec[], String, String, Properties, Logger) checks the SSL property at line 74 by calling PGProperty.isPresent(Properties)
- org.postgresql.PGProperty.isPresent(Properties) calls the getSetString(Properties) method at line 468, but this method does not check default properties.
- My SSL and SSL_FACTORY properties are ignored since they are default ones, and thus a non-SSL connection is opened.
Hence i have two questions :
- Do SSL and SSL_FACTORY properties have to be passed through URL ?
- If not, can you please patch this ? J
Best regards,
Matthieu SANCHEZ