Re: JDBC SSL hostname verification - Mailing list pgsql-jdbc

From Craig Ringer
Subject Re: JDBC SSL hostname verification
Date
Msg-id 4E3D2D40.3000405@ringerc.id.au
Whole thread Raw
In response to JDBC SSL hostname verification  (Bruno Harbulot <bruno@distributedmatter.net>)
Responses Re: JDBC SSL hostname verification
List pgsql-jdbc
On 6/08/2011 11:00 AM, Bruno Harbulot wrote:
> Hello,
>
> I have noticed that I was able to connect using SSL (with a trusted
> certificate) to a server using a name that doesn't match that in the
> certificate.
>
> For example, if both "sql.example.com" and "other.example.net" point
> to the same IP address, but the certificate is not issued to
> "other.example.net" (only "sql.example.com"), the following works when
> it shouldn't:
>
> Properties props = new Properties();
> props.setProperty("user", "username");
> props.setProperty("password", "xxxxxxxx");
> props.setProperty("ssl", "true");
> Connection jdbcConnection =
> DriverManager.getConnection("jdbc:postgresql://other.example.net/db",
> props)
>
> Hostname verification (what 'verify-full' does with psql) is necessary
> for ensuring the security of the connection. Verifying that the
> certificate is trusted isn't sufficient.

JSSE doesn't verify the hostname automatically. Quoting the JSSE
reference guide for Java 6:

"When using raw SSLSockets/SSLEngines you should always check the peer's
credentials before sending any data. The SSLSocket and SSLEngine classes
do not automatically verify that the hostname in a URL matches the
hostname in the peer's credentials. An application could be exploited
with URL spoofing if the hostname is not verified."

I was under the impression that PgJDBC verified the hostname its self
unless verification was disabled, but it seems not. Hmm. I guess you can
use a custom SSLSocketFactory to do the verification, but it really
should be something done by the stock JDBC driver. Patch?

--
Craig Ringer

pgsql-jdbc by date:

Previous
From: Bruno Harbulot
Date:
Subject: JDBC SSL hostname verification
Next
From: Bruno Harbulot
Date:
Subject: Re: JDBC SSL hostname verification