Re: SSL patch - Mailing list pgsql-jdbc

From Dave Cramer
Subject Re: SSL patch
Date
Msg-id CADK3HHLjM6S-XsioBJjWLSUQX-uXjmPYh1AK=MU45Fa2siPLOA@mail.gmail.com
Whole thread Raw
In response to Re: JDBC SSL hostname verification  (Bodor Andras <bodri.mh3@gmail.com>)
Responses Re: SSL patch
List pgsql-jdbc
Andras,

I noticed that the server.crt in the patch is only good for 1 month
and expires in Sept of this year.

Dave Cramer

dave.cramer(at)credativ(dot)ca
http://www.credativ.ca




On Thu, Nov 10, 2011 at 10:45 AM, Bodor András <bodri.mh3@gmail.com> wrote:
> Can you send me some error log, and your database setup?
>
> On Thu, Nov 10, 2011 at 4:19 PM, Dave Cramer <pg@fastcrypt.com> wrote:
>> Hi Bodor,
>>
>> Understood.
>>
>> So now all the tests are failing some due to unknown ca, others to
>> certificate expired ?
>>
>> Dave Cramer
>>
>> dave.cramer(at)credativ(dot)ca
>> http://www.credativ.ca
>>
>>
>>
>>
>> On Thu, Nov 10, 2011 at 9:30 AM, Bodor András <bodri.mh3@gmail.com> wrote:
>>> Dear Dave,
>>>
>>> The installation of sslinfo is only necessary for the unit tests, it is
>>> not used at all in the driver itself. Obviously I wanted to test weather
>>> we were actually using ssl, but it is not essential. It can be removed,
>>> or an additional option can be introduced to ssltest.properties.
>>> The relevant lines are in
>>> org.postgresql.test.ssl.SslTest.driver(String connstr, Object[]
>>> expected)
>>>
>>> There are a few things still to be done with this patch.
>>> 1. the jdbc datasource interface was not modified at all,
>>> so it is unaware of the new options,
>>> 2. it should be decided, what is the expected behaviour of sslmode=allow
>>> or prefer (they might be omitted completely),
>>> 3. I have not tested certificate chains yet,
>>> 4. when a client certificate is available, the v8 and v9 servers
>>> behave differently (BUG #5468 is fixed in v9) so different unit test are
>>> needed to check this,
>>> 5. there is a list of options somewhere in the code, this should
>>> be updated as well,
>>> 6. documentation.
>>>
>>>           Andras
>>>
>>> On Thu, Nov 10, 2011 at 2:56 PM, Dave Cramer <pg@fastcrypt.com> wrote:
>>>> Andras,
>>>>
>>>> I'm looking at your patch attached to this link
>>>> http://archives.postgresql.org/pgsql-jdbc/2011-08/msg00067.php right
>>>> now. Thanks by the way!
>>>>
>>>> The only thing I'd like to pose to the list is the necessity for
>>>> sslinfo to be installed in any database. I can envision some
>>>> production environments which this may not be possible ?
>>>>
>>>> Dave Cramer
>>>>
>>>> dave.cramer(at)credativ(dot)ca
>>>> http://www.credativ.ca
>>>>
>>>>
>>>>
>>>>
>>>> On Thu, Sep 15, 2011 at 11:41 AM, Bodor Andras <bodri.mh3@gmail.com> wrote:
>>>>>
>>>>>  Yes, it is also included in the patch
>>>>> (package org.postgresql.test.ssl). It
>>>>> tries to connect to a series of databases
>>>>> with different ssl properties. The connection
>>>>> strings are given in the ssltest.properties
>>>>> file in the root of the distribution. Just
>>>>> comment out the connstrings, that you don't
>>>>> want to run. Also read the certdir/README
>>>>> file. (build.xml is modified to run this test.)
>>>>>           Andras
>>>>>
>>>>>
>>>>> Dave Cramer wrote:
>>>>>>
>>>>>> Hi Bodor,
>>>>>>
>>>>>> So do you have any test cases for this ?
>>>>>>
>>>>>> Dave Cramer
>>>>>>
>>>>>> dave.cramer(at)credativ(dot)ca
>>>>>> http://www.credativ.ca
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> 2011/9/13 Bodor Andras<bodri.mh3@gmail.com>:
>>>>>>>
>>>>>>>  Hi!
>>>>>>>
>>>>>>>  Can You make any use of my SSL patch sent in on the 23th of August?
>>>>>>>           Andras
>>>>>>>
>>>>>>> --
>>>>>>> Sent via pgsql-jdbc mailing list (pgsql-jdbc@postgresql.org)
>>>>>>> To make changes to your subscription:
>>>>>>> http://www.postgresql.org/mailpref/pgsql-jdbc
>>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Sent via pgsql-jdbc mailing list (pgsql-jdbc@postgresql.org)
>>>>> To make changes to your subscription:
>>>>> http://www.postgresql.org/mailpref/pgsql-jdbc
>>>>>
>>>>
>>>
>>
>

pgsql-jdbc by date:

Previous
From: Dave Cramer
Date:
Subject: Re: SSL patch
Next
From: Bruno Harbulot
Date:
Subject: Re: SSL patch