Hello,
I have noticed that I was able to connect using SSL (with a trusted
certificate) to a server using a name that doesn't match that in the
certificate.
For example, if both "sql.example.com" and "other.example.net" point to
the same IP address, but the certificate is not issued to
"other.example.net" (only "sql.example.com"), the following works when
it shouldn't:
Properties props = new Properties();
props.setProperty("user", "username");
props.setProperty("password", "xxxxxxxx");
props.setProperty("ssl", "true");
Connection jdbcConnection =
DriverManager.getConnection("jdbc:postgresql://other.example.net/db", props)
Hostname verification (what 'verify-full' does with psql) is necessary
for ensuring the security of the connection. Verifying that the
certificate is trusted isn't sufficient.
Only this should work:
Connection jdbcConnection =
DriverManager.getConnection("jdbc:postgresql://sql.example.com/db", props)
Did I miss a property to set?
I hope I'm not duplicating an existing feature, but I couldn't find
anything that performed this verification in the existing code base, so
I've implemented a patch to support it. It seems to work well against
versions 8.4 and 9.0 at least.
If this of interest to anyone, I'd be happy to contribute it to the
PostgreSQL community. (Please let me know what the procedure to do so is.)
Best wishes,
Bruno.
