Обсуждение: SSL question
I am trying to create a SSl connection to PostGres using JDBC and am not sure if it is working.
I read that you must have openssl on the client machine for the connection to take place. I have turned ssl = on in the config file, created a cert and key file and placed them in the correct directory, created a truststore and add the ?ssl=true to the url for the client. When I do all this I connect and get data back from the db. My confusion is when I read that I need openssl on the client machine to connect, since I can connect without openssl installed. I do notice that if my truststore does not have the cert placed in it, I get an error saying missing certificate ( something like that ), does that mean ssl is working for the client and server?
I am using Postgres 8.2 and have read that I may need to compile the Postgres src code with openssl for it to be enabled. Is this correct or is SSL already compiled into the src code?
Thanks to anyone who can provide information or point me in the right direction. I am facing a tight deadline and don’t have a ton of extra time to research this more.
allan
On Fri, Feb 01, 2008 at 09:08:23AM -0600, Bronson, Allan B. (Mission Systems) wrote: > I am trying to create a SSl connection to PostGres using JDBC and am not > sure if it is working. > > I read that you must have openssl on the client machine for the > connection to take place. You don't need openssl if you use JDBC since SSL-support is part of Java and the JDBC-driver will handle the SSL stuff. I've never used SSL connections though, so this is a bit of guessing on my side. > I have turned ssl = on in the config file, > created a cert and key file and placed them in the correct directory, > created a truststore and add the ?ssl=true to the url for the client. > When I do all this I connect and get data back from the db. My > confusion is when I read that I need openssl on the client machine to > connect, since I can connect without openssl installed. I do notice > that if my truststore does not have the cert placed in it, I get an > error saying missing certificate ( something like that ), does that mean > ssl is working for the client and server? I'd simply take a packet sniffer like wireshark and look at the network traffic with and without SSL. That way you'll see what is going on and whether it's encrypted. HTH, Tino. -- www.craniosacralzentrum.de www.spiritualdesign-chemnitz.de Tino Schwarze * Lortzingstraße 21 * 09119 Chemnitz
On Feb 1, 2008 9:08 AM, Bronson, Allan B. (Mission Systems) <Allan.Bronson@ngc.com> wrote: > I am trying to create a SSl connection to PostGres using JDBC and am not > sure if it is working. > > I read that you must have openssl on the client machine for the connection > to take place. I have turned ssl = on in the config file, created a cert > and key file and placed them in the correct directory, created a truststore > and add the ?ssl=true to the url for the client. When I do all this I > connect and get data back from the db. My confusion is when I read that I > need openssl on the client machine to connect, since I can connect without > openssl installed. I do notice that if my truststore does not have the cert > placed in it, I get an error saying missing certificate ( something like > that ), does that mean ssl is working for the client and server? > > I am using Postgres 8.2 and have read that I may need to compile the > Postgres src code with openssl for it to be enabled. Is this correct or is > SSL already compiled into the src code? > > Thanks to anyone who can provide information or point me in the right > direction. I am facing a tight deadline and don't have a ton of extra time > to research this more. I think you do need to compile PostgreSQL with SSL support. If you're getting a vendor-made package (a .rpm or .deb, for instance), you should do a little As far as JDBC goes, check out http://jdbc.postgresql.org/documentation/82/ssl.html (though it sounds like you already have). I'm trying to get SSL support working with JDBC as well, and I've found that guide very good. Don't forget to edit your server's pg_hba.conf to allow or force ssl-based connections, as well. You should also ask your question on the JDBC list. They focus exclusively on that and will be best able to help you. Hope this helps. Peter