Обсуждение: JDBC and certificates
Hi! As I'm sure some of you have seen, I've been overhauling the SSL stuff in libpq for 8.4, and also added some new server functions. I'd like to verify, well before the release, where the JDBC driver stands on these same issues, and try to make sure we have a common standpoint to dealing with this. Now, I don't actually use the JDBC driver myself - not a java guy - so pardon me for just asking these questions straight out even if it should be obvious :) 1) It is my understanding that the JDBC driver will do certificate validation of the servers certificate by default. Can someone confirm this? 2) Does the JDBC driver support client certificates, and if so, how? This *should* require no changes to work with the client certificate authentication method I'm hoping to get into 8.4, but it would be good to test that :-) And if it's not supported now, how much work would it be to add support for it? Thanks! //Magnus (I take it this list works like the other pg ones but just in case - I'm not on the list, so please CC any responses)
On Thu, 13 Nov 2008, Magnus Hagander wrote: > 1) It is my understanding that the JDBC driver will do certificate > validation of the servers certificate by default. Can someone confirm > this? Yes, by default the server cert is validated. An option is provided to not validate it if desired. [1] > 2) Does the JDBC driver support client certificates, and if so, how? > This *should* require no changes to work with the client certificate > authentication method I'm hoping to get into 8.4, but it would be good > to test that :-) And if it's not supported now, how much work would it > be to add support for it? > Currently client certificates are not supported. Two patches have been posted to make this work [2], but I haven't really looked at either of them. Kris Jurka [1] http://jdbc.postgresql.org/documentation/83/ssl-client.html#nonvalidating [2] http://pgfoundry.org/tracker/index.php?func=detail&aid=1010293&group_id=1000224&atid=856
Magnus Hagander wrote: > Hi! > > As I'm sure some of you have seen, I've been overhauling the SSL stuff > in libpq for 8.4, and also added some new server functions. > > I'd like to verify, well before the release, where the JDBC driver > stands on these same issues, and try to make sure we have a common > standpoint to dealing with this. Now, I don't actually use the JDBC > driver myself - not a java guy - so pardon me for just asking these > questions straight out even if it should be obvious :) > > 1) It is my understanding that the JDBC driver will do certificate > validation of the servers certificate by default. Can someone confirm this? > > 2) Does the JDBC driver support client certificates, and if so, how? > This *should* require no changes to work with the client certificate > authentication method I'm hoping to get into 8.4, but it would be good > to test that :-) And if it's not supported now, how much work would it > be to add support for it? > > <snip> Hello If you configure the standard Java SSL it will work - no patches necessary. We're using it in production here. You have to setup the server to require client certs. See here for setting up Java SSL stuffs. http://java.sun.com/j2se/1.5.0/docs/guide/security/jsse/JSSERefGuide.html -- Vic Simkus Department of Neurology, UIC 912 South Wood St. Room 855N Chicago IL 60612
On Thu, 13 Nov 2008, Vic Simkus wrote: > If you configure the standard Java SSL it will work - no patches > necessary. We're using it in production here. You have to setup the > server to require client certs. > If no additional JDBC configuration is necessary, why did you submit this? http://archives.postgresql.org/pgsql-jdbc/2008-08/msg00025.php Kris Jurka
Short answer - because I didn't know what I was doing. After going through all that I figured it out :) Kris Jurka wrote: > > > On Thu, 13 Nov 2008, Vic Simkus wrote: > >> If you configure the standard Java SSL it will work - no patches >> necessary. We're using it in production here. You have to setup the >> server to require client certs. >> > > If no additional JDBC configuration is necessary, why did you submit > this? > > http://archives.postgresql.org/pgsql-jdbc/2008-08/msg00025.php > > Kris Jurka > -- Vic Simkus Department of Neurology, UIC 912 South Wood St. Room 855N Chicago IL 60612