JDBC SSL hostname verification - Mailing list pgsql-jdbc

From Bruno Harbulot
Subject JDBC SSL hostname verification
Date
Msg-id j1iaoo$uu$1@dough.gmane.org
Whole thread Raw
Responses Re: JDBC SSL hostname verification
List pgsql-jdbc
Hello,

I have noticed that I was able to connect using SSL (with a trusted
certificate) to a server using a name that doesn't match that in the
certificate.

For example, if both "sql.example.com" and "other.example.net" point to
the same IP address, but the certificate is not issued to
"other.example.net" (only "sql.example.com"), the following works when
it shouldn't:

Properties props = new Properties();
props.setProperty("user", "username");
props.setProperty("password", "xxxxxxxx");
props.setProperty("ssl", "true");
Connection jdbcConnection =
DriverManager.getConnection("jdbc:postgresql://other.example.net/db", props)

Hostname verification (what 'verify-full' does with psql) is necessary
for ensuring the security of the connection. Verifying that the
certificate is trusted isn't sufficient.

Only this should work:

Connection jdbcConnection =
DriverManager.getConnection("jdbc:postgresql://sql.example.com/db", props)


Did I miss a property to set?


I hope I'm not duplicating an existing feature, but I couldn't find
anything that performed this verification in the existing code base, so
I've implemented a patch to support it. It seems to work well against
versions 8.4 and 9.0 at least.
If this of interest to anyone, I'd be happy to contribute it to the
PostgreSQL community. (Please let me know what the procedure to do so is.)


Best wishes,

Bruno.

pgsql-jdbc by date:

Previous
From: Silvio Brandani
Date:
Subject: Re: Postgres Server Jdbc driver error
Next
From: Craig Ringer
Date:
Subject: Re: JDBC SSL hostname verification