Re: JDBC with SSL - Mailing list pgsql-jdbc

From John Laban
Subject Re: JDBC with SSL
Date
Msg-id 010101c2f787$425fb790$5ac8a8c0@infotn9
Whole thread Raw
In response to JDBC with SSL  ("John Laban" <johnl@infotn.com>)
List pgsql-jdbc
That is exactly what we did Friday afternoon, and it works great.

Thanks,
John


----- Original Message -----
From: "Csaba Nagy" <nagy@ecircle-ag.com>
To: "John Laban" <johnl@infotn.com>
Cc: "Nagy Istvan" <nistvan@ecity.agria.hu>; "Postgres JDBC"
<pgsql-jdbc@postgresql.org>
Sent: Monday, March 31, 2003 3:29 AM
Subject: Re: [JDBC] JDBC with SSL


> The following piece of code did it for us (I've found it):
>
> static {
>         // add support for https and the like
>         System.setProperty("java.protocol.handler.pkgs",
>                 "com.sun.net.ssl.internal.www.protocol");
>         Security.addProvider(new
> com.sun.net.ssl.internal.ssl.Provider());
>
>         try {
>             SSLContext ctx = SSLContext.getInstance("TLS");
>             ctx.init(
>               null,
>               new TrustManager[] {
>                   new X509TrustManager() {
>                       public X509Certificate[] getAcceptedIssuers() {
>                           return new X509Certificate[0];
>                       }
>
>                       public boolean isClientTrusted(X509Certificate[]
> x509Certificates) {
>                           return true;
>                       }
>
>                       public boolean isServerTrusted(X509Certificate[]
> x509Certificates) {
>                           return true;
>                       }
>                   }
>               },
>               null
>             );
>
>
> HTTPConnection.setDefaultSSLSocketFactory(ctx.getSocketFactory());
>         } catch (Exception e) {
>             System.out.println("Failed to set SSL socket factory for
> HTTPClient. There might be problems with https.");
>         }
>
> }
>
> HTH,
> CSaba.
>
>
> On Fri, 2003-03-28 at 21:08, John Laban wrote:
> > Thanks for the tip, but sorry, no luck.
> >
> > As for us, we're going to try modifiying the driver to use a custom
> > SSLSocketFactory that won't care about the authentication procedure.
> >
> > Thanks,
> > John Laban
> >
> >
> > ----- Original Message -----
> > From: "Nagy Istvan" <nistvan@ecity.agria.hu>
> > To: "John Laban" <johnl@infotn.com>
> > Cc: <pgsql-jdbc@postgresql.org>
> > Sent: Friday, March 28, 2003 2:07 PM
> > Subject: Re: [JDBC] JDBC with SSL
> >
> >
> > > Hi John,
> > >
> > > try this one (i hope it works)
> > >
> > > 1. open the certificate in a text editor
> > > 2. look for the line starting like this: ------ BEGIN CERTIFICATE ...
> > > 3. cut the closing section of the file ( incl. the ---- BEGIN
CERTIFICATE
> > > and ---- END CERTIFICATE lines) and copy it into the file cert2.crt
> > > 4. run: $ keytool -import -alias alias_name -file cert2.crt
> > > 5. answer all questions and say that you trust this cert
> > >
> > > If you were successful can you tell me about your config? I use
> > jdk1.3.0_02
> > > and jsse (I know it is an old conf) and PG 7.3 and I recieve an answer
as
> > > follows:"FATAL: failed to initialize SSL connection: wrong version
> > number".
> > > I see the next in the server's log file: "FATAL: failed to initialize
SSL
> > > connection: sslv3 alert handshake failure" then "FATAL: SSL SYSCALL
error:
> > > Connection reset by peer"
> > >
> > > If i change the next line in the back and code :
> > > SSL_context=SSL_CTX_new(TLSv1_method()) to
> > > SSL_context=SSL_CTX_new(SSLv23_method()) and
> > > initialize the factory in the jdbc driver by using SSLv23 then
> > > everything is ok.
> > >
> > > why?
> > >
> > > regards / Istvan Nagy
> > >
> > > ----- Original Message -----
> > > From: John Laban <johnl@infotn.com>
> > > To: Barry Lind <blind@xythos.com>
> > > Cc: <pgsql-jdbc@postgresql.org>
> > > Sent: Friday, March 28, 2003 6:06 PM
> > > Subject: Re: [JDBC] JDBC with SSL
> > >
> > >
> > > > Hello again,
> > > >
> > > > I have made numerous attempts to import the certificate from the
server
> > to
> > > > the client machine using java keytool with no success - the keytool
> > > > complains that the file is not a valid X.509 format.
> > > >
> > > > Additionally, for my application, only the encryption of the channel
is
> > > > important so if it is possible to create an ssl connection without
the
> > > > authentication portion that would be the best solution.
> > > >
> > > >
> > > > However I would still appreciate any information on how to import
the
> > > > certificate (as generated using the Postgresql documention) into the
> > java
> > > > certificate store.
> > > >
> > > >
> > > >
> > > > ----- Original Message -----
> > > > From: "Barry Lind" <blind@xythos.com>
> > > > To: "John Laban" <johnl@infotn.com>
> > > > Cc: <pgsql-jdbc@postgresql.org>
> > > > Sent: Friday, March 28, 2003 11:11 AM
> > > > Subject: Re: [JDBC] JDBC with SSL
> > > >
> > > >
> > > > > John,
> > > > >
> > > > > The error message indicates that your client doesn't trust the
servers
> > > > > certificate.  My guess is that you are using a self-signed
certificate
> > > > > on the server.  If you want to be able to connect you are going to
> > need
> > > > > to import that certificate into the client side java certificate
store
> > > > > so that it recognizes the self-signed certificate as valid and
> > trusted.
> > > > >
> > > > > thanks,
> > > > > --Barry
> > > > >
> > > > >
> > > > > John Laban wrote:
> > > > > > Thanks for the quick reply, but I'm still having some
difficulty.
> > > > > >
> > > > > > I have been trying to connect to postgresql (redhat version
7.2.3.1)
> > > > using
> > > > > > JDBC and SSL - I am using the 7.4 development driver.
> > > > > >
> > > > > > I know that the server side is set up correctly because when
> > > connecting
> > > > > > using psql the connection is established using SSL.
> > > > > >
> > > > > >
> > > > > > However when connecting via JDBC I receive
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > PostgreSQL 7.4devel JDBC3 with SSL (build 204)
> > > > > >
> > > > > >     ssl = true
> > > > > >
> > > > > >     compatible = 7.4
> > > > > >
> > > > > >     loglevel = 2
> > > > > >
> > > > > > Asking server if it supports ssl
> > > > > >
> > > > > > Server response was (S=Yes,N=No): S
> > > > > >
> > > > > > server does support ssl
> > > > > >
> > > > > > converting regular socket connection to ssl
> > > > > >
> > > > > >
> > > > > >
> > > > > >             at
org.postgresql.core.PGStream.flush(PGStream.java:364)
> > > > > >
> > > > > >             at
> > > > > >
> > > >
> > >
> >
org.postgresql.jdbc1.AbstractJdbc1Connection.openConnection(AbstractJdbc1Con
> > > > > > nection.java:269)
> > > > > >
> > > > > >             at org.postgresql.Driver.connect(Driver.java:137)
> > > > > >
> > > > > >             at
> > > > java.sql.DriverManager.getConnection(DriverManager.java:512)
> > > > > >
> > > > > >             at
> > > > java.sql.DriverManager.getConnection(DriverManager.java:140)
> > > > > >
> > > > > >             at docextractor.test.main(test.java:35)
> > > > > >
> > > > > >
> > > > > > Exception: An I/O error has occured while flushing the output -
> > > > Exception:
> > > > > > javax.net.ssl.SSLHandshakeException:
> > > > > > java.security.cert.CertificateException: Couldn't find trusted
> > > > certificate
> > > > > >
> > > > > > Stack Trace:
> > > > > >
> > > > > >
> > > > > >
> > > > > > javax.net.ssl.SSLHandshakeException:
> > > > > > java.security.cert.CertificateException: Couldn't find trusted
> > > > certificate
> > > > > >
> > > > > >             at
> > > > com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a(DashoA6275)
> > > > > >
> > > > > >             at
> > > com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
> > > > > >
> > > > > >             at
> > > com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
> > > > > >
> > > > > >             at
com.sun.net.ssl.internal.ssl.SunJSSE_az.a(DashoA6275)
> > > > > >
> > > > > >             at
com.sun.net.ssl.internal.ssl.SunJSSE_az.a(DashoA6275)
> > > > > >
> > > > > >             at
com.sun.net.ssl.internal.ssl.SunJSSE_ax.a(DashoA6275)
> > > > > >
> > > > > >             at
> > > com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
> > > > > >
> > > > > >             at
> > > com.sun.net.ssl.internal.ssl.SSLSocketImpl.j(DashoA6275)
> > > > > >
> > > > > >             at
> > > com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
> > > > > >
> > > > > >             at
> > > > > > com.sun.net.ssl.internal.ssl.AppOutputStream.write(DashoA6275)
> > > > > >
> > > > > >             at
> > > > > >
> > java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:69)
> > > > > >
> > > > > >             at
> > > > > >
java.io.BufferedOutputStream.flush(BufferedOutputStream.java:127)
> > > > > >
> > > > > >             at
org.postgresql.core.PGStream.flush(PGStream.java:360)
> > > > > >
> > > > > >             at
> > > > > >
> > > >
> > >
> >
org.postgresql.jdbc1.AbstractJdbc1Connection.openConnection(AbstractJdbc1Con
> > > > > > nection.java:269)
> > > > > >
> > > > > >             at org.postgresql.Driver.connect(Driver.java:137)
> > > > > >
> > > > > >             at
> > > > java.sql.DriverManager.getConnection(DriverManager.java:512)
> > > > > >
> > > > > >             at
> > > > java.sql.DriverManager.getConnection(DriverManager.java:140)
> > > > > >
> > > > > >             at docextractor.test.main(test.java:35)
> > > > > >
> > > > > >
> > > > > > Caused by: java.security.cert.CertificateException: Couldn't
find
> > > > trusted
> > > > > > certificate
> > > > > >
> > > > > >
> > > > > >             at
> > > > > > com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.a(DashoA6275)
> > > > > >
> > > > > >             at
> > > > > >
> > > >
> > >
> >
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(DashoA6
> > > > > > 275)
> > > > > >
> > > > > >             at
> > > > > >
> > > >
> > >
> >
com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(DashoA6
> > > > > > 275)
> > > > > >
> > > > > >             ... 15 more
> > > > > >
> > > > > >
> > > > > > End of Stack Trace
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > At the server side I get
> > > > > >
> > > > > >
> > > > > >
> > > > > > Failed to inititalize SSL Connection: sslv3 alert certificate
> > unknown
> > > > > > (Success)
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > I have not been able to find any clear resolutions to this
problem.
> > If
> > > > > > someone can shed some light on a solution to this problem it
would
> > be
> > > > > > greatly appreciated.
> > > > > >
> > > > > >
> > > > > >
> > > > > > ----- Original Message -----
> > > > > > From: "Barry Lind" <blind@xythos.com>
> > > > > > To: "John Laban" <johnl@infotn.com>
> > > > > > Cc: <pgsql-jdbc@postgresql.org>
> > > > > > Sent: Thursday, March 27, 2003 5:58 PM
> > > > > > Subject: Re: [JDBC] JDBC with SSL
> > > > > >
> > > > > >
> > > > > >
> > > > > >>John,
> > > > > >>
> > > > > >>This hasn't yet made it to the documentation.
> > > > > >>
> > > > > >>but adding ?ssl to the url should be what you need.  (also
consider
> > > > > >>using &loglevel=2 to turn on debugging info).
> > > > > >>
> > > > > >>--Barry
> > > > > >>
> > > > > >>John Laban wrote:
> > > > > >>
> > > > > >>>Hello,
> > > > > >>>
> > > > > >>>The newest developement JDBC drivers (7.4dev, build 204,
> > 2003-03-23)
> > > > say
> > > > > >
> > > > > > they include support for SSL.  I can set up the server to use
SSL,
> > but
> > > I
> > > > > > can't seem to get the JDBC driver to actually connect using SSL.
Is
> > > > there
> > > > > > any documentation on this?  Or is there a specific parameter I
am
> > > > supposed
> > > > > > to include in the connection URL?
> > > > > >
> > > > > >>>Any help in this would be appreciated.
> > > > > >>>
> > > > > >>>John Laban
> > > > > >>>
> > > > > >>
> > > > > >>
> > > > > >>---------------------------(end of
> > > broadcast)---------------------------
> > > > > >>TIP 5: Have you checked our extensive FAQ?
> > > > > >>
> > > > > >>http://www.postgresql.org/docs/faqs/FAQ.html
> > > > > >
> > > > > >
> > > > > >
> > > > > > ---------------------------(end of
> > > broadcast)---------------------------
> > > > > > TIP 6: Have you searched our list archives?
> > > > > >
> > > > > > http://archives.postgresql.org
> > > > > >
> > > > >
> > > > >
> > > > > ---------------------------(end of
> > broadcast)---------------------------
> > > > > TIP 6: Have you searched our list archives?
> > > > >
> > > > > http://archives.postgresql.org
> > > >
> > > >
> > > > ---------------------------(end of
broadcast)---------------------------
> > > > TIP 4: Don't 'kill -9' the postmaster
> > > >
> > >
> > >
> > > ---------------------------(end of
broadcast)---------------------------
> > > TIP 6: Have you searched our list archives?
> > >
> > > http://archives.postgresql.org
> >
> >
> > ---------------------------(end of broadcast)---------------------------
> > TIP 3: if posting/reading through Usenet, please send an appropriate
> > subscribe-nomail command to majordomo@postgresql.org so that your
> > message can get through to the mailing list cleanly
> >
>


pgsql-jdbc by date:

Previous
From: Csaba Nagy
Date:
Subject: Re: JDBC with SSL
Next
From: Haig Ehramdjian
Date:
Subject: Re: JDBC2 driver failure