Re: SSL without verifying server certificate - Mailing list pgsql-jdbc

From Chris Smith
Subject Re: SSL without verifying server certificate
Date
Msg-id 04ce01c3f55b$9a7c91f0$6f00000a@KYA
Whole thread Raw
In response to Re: SSL without verifying server certificate  (Kris Jurka <books@ejurka.com>)
List pgsql-jdbc
Kris Jurka wrote:
> Java's ssl implementation requires authenticating the server I
> believe. I think a better question to ask would be if there was any
> way to programmatically supply the server's certificate instead of
> having to import it into the cert.  Unfortunately I don't know the
> answer to that question.

IIRC, the place to look in modern versions of the J2SDK is
javax.net.X509TrustManager.  You can specify an X509TrustManager when you call
SSLContext.init.  You'd then need to get an SSLSocketFactory from that
SSLContext and finally create a socket using that SocketFactory.

Currently, org.postgresql.Driver.makeSSL obtains a default SSLSocketFactory by
calling the static method SSLSocketFactory.getDefault().  What we'd ideally do
here is leave that default in place, but allow a client to specify a different
SSLSocketFactory somehow.  All the dealing with X509TrustManager and
SSLContext could be left to the application code, since the right way to do it
is highly app-specific and security-sensitive.

Any opinions on the best way to specify that SSLSocketFactory?  Sticking with
URL parameters is unworkable, since we would like to specify a specific
instance obtained from the SSLContext, *not* a class name for a whole set of
these things.  We could add a method to Driver or to PGConnection, perhaps?

--
www.designacourse.com
The Easiest Way to Train Anyone... Anywhere.

Chris Smith - Lead Software Developer/Technical Trainer
MindIQ Corporation


pgsql-jdbc by date:

Previous
From: Dave Cramer
Date:
Subject: cacheing metadata
Next
From: "Chris Smith"
Date:
Subject: Re: isSingleXXX in AbstractJdbc1Statement