Re: How to ensure that SSL is enabled? - Mailing list pgsql-jdbc

From Craig Ringer
Subject Re: How to ensure that SSL is enabled?
Date
Msg-id 1256010332.6437.74.camel@wallace.localnet
Whole thread Raw
In response to How to ensure that SSL is enabled?  (Eric Jain <eric.jain@gmail.com>)
Responses Re: How to ensure that SSL is enabled?
List pgsql-jdbc
On Mon, 2009-10-19 at 17:31 -0700, Eric Jain wrote:
I've appended ?ssl=true&sslfactory=org.postgresql.ssl.NonValidatingFactory
to the connection URL, but (looking at the network traffic) no
encryption appears to be done. Shouldn't the connection fail if no SSL
connection can be established? It's possible that the server isn't set
up properly; is there a simple way to test that (e.g. verify that the
server was compiled with SSL support etc)?


It looks like on the JDBC side is mostly handled via custom SSLFactory classes. There's been discussion of making the "ssl" param take a string value, allowing more control over behaviour:

http://archives.free.net.ph/message/20070706.205109.cdd3ca05.en.html

... but I don't know if much ever came of it.

Personally, I handle this on the server side in pg_hba.conf . For Internet users (0.0.0.0/0 IP/mask), I use "hostssl" entries rather than simple "host" entries, so the pg_hba.conf entry only matches for SSL connections. If they're not using SSL, the server won't let them try password auth because there's no pg_hba.conf entry that'd permit them to do so.

eg:

    hostssl    somedatabase    all    0.0.0.0/0    md5

--
Craig Ringer

pgsql-jdbc by date:

Previous
From: Eric Jain
Date:
Subject: How to ensure that SSL is enabled?
Next
From: David Wall
Date:
Subject: JDBC with PG 8.4 bytea character escaping wire protocol