Hi-
I tried posting this a couple weeks ago but it kept getting rejected
by the list's filter so I ended up putting all the info in a pull
request on GitHub (https://github.com/pgjdbc/pgjdbc/pull/80). Looks
like I can (finally) post here now so here goes ...
Full details are in the linked pull request but the gist of it is that
this patch adds a new SSL socket factory that performs remote server
certificate validation against a pre shared SSL certificate. What's
different about it (vs the existing socket factories) is that it
easily allows specifying the SSL certificate at runtime as either a
string, file, environment variable, or system property.
We got the idea for it working on our product JackDB (a database
client in your browser ... check it out!) as the primary use case for
our public cloud version is to connect to cloud databases (ex: Heroku
Postgres or Amazon RDS). Although most DBaaS providers support
connecting over SSL, the common advice online is ignore the
authentication piece of the SSL handshake by using the
NonValidatingFactory (which makes you vulnerable to a man in the
middle attack). That obviously wasn't acceptable and we looked at
other options as well but none was straightforward enough,
particularly for our use case of dynamically adding data sources at
runtime, so we came up with this class.
We've been using a variant of this in JackDB for a while now and it's
been working great. Let me know what you guys think.
Thanks,
Sehrope Sarkuni
Founder & CEO | JackDB, Inc. | http://www.jackdb.com/ | @jackdb
