Re: Support for cert auth in JDBC - Mailing list pgsql-jdbc
| From | Marc-André Laverdière |
|---|---|
| Subject | Re: Support for cert auth in JDBC |
| Date | |
| Msg-id | 4E0820A4.3090004@atc.tcs.com Whole thread Raw |
| In response to | Re: Support for cert auth in JDBC (Craig Ringer <craig@postnewspapers.com.au>) |
| Responses |
Re: Support for cert auth in JDBC
(Craig Ringer <craig@postnewspapers.com.au>)
|
| List | pgsql-jdbc |
Hello everybody, I haven't heard back about this testing... did anyone get time to do it? Marc-André Laverdière Software Security Scientist Innovation Labs, Tata Consultancy Services Hyderabad, India On 05/25/2011 07:09 AM, Craig Ringer wrote: > On 25/05/11 00:27, Kris Jurka wrote: >> >> >> On Tue, 24 May 2011, Marc-Andr? Laverdi?re wrote: >> >>> It is not over... It is not in the CVS repository yet :D >>> >>> What would be the next step? >> >> It was not clear to me that the discussion between you and Craig had >> resulted in a final code version. Apparently you think so. Craig do >> you concur? > > I'm happy with the state of the code, but should really test it properly > before signing off on that. In particular, I need to test PKCS#12 cert > files and test a JECKS keystore containing multiple keys only one of > which is valid to access Pg. > > On the other hand, I'm swamped at the moment and unsure if I'll get to > that in a reasonable amount of time. The tests Marc-André wrote > demonstrate the core functionality pretty well, and the code would be > good to get into the official codebase to save others from duplicating > the same work over and over as both Marc-André and I have each done already. > > Argh. I'm going to have to come back to that, as I have a backup server > to fix. Maybe it's best if you have a look and see what you think of it, > while I try to find some time to do some more testing. > >> Perhaps some documentation updates >> would be in order, but I haven't looked at the code yet to know what >> might be appropriate. > > Some documentation updates are definitely in order, to sit alongside the > existing documentation for the non-validating ssl factory. > > > By the way, I _do_ think it'd be useful to add support for constructing > the socket factory with: > > FactoryClass(String arg, Properties jdbcProperties) > > ... where the properties argument contains all the Pg JDBC properties > like the user name and password. It'd make it easier for apps to pass > custom args into a socket factory, especially things like the password > to the user's private key that they don't want to have to put in the > sslocketfactoryarg string. > > I could also then produce a second version of the cert factory for > people to use that got all its settings from the jdbc connection > properties instead of the sytem properties. > > I wouldn't suggest adding that now, though, but maybe as a revision once > the working code is already committed. > > -- > Craig Ringer
pgsql-jdbc by date: