Thread: SSL support in PG 7.4
Has any progress been made in getting SSL support for connections
between Java apps and PG via JDBC? The mail archives seem to say "no"
(at least as of last February).
If not, a short discussion of what would be involved would be
appreciated. We may have some programmer cycles to apply to such a project.
Thanks,
Rich Cullingford
rculling@sysd.com
On Thu, 31 Jul 2003, Rich Cullingford wrote: > Has any progress been made in getting SSL support for connections > between Java apps and PG via JDBC? The mail archives seem to say "no" > (at least as of last February). http://archives.postgresql.org/pgsql-jdbc/2003-02/msg00348.php > If not, a short discussion of what would be involved would be > appreciated. We may have some programmer cycles to apply to such a project. I don't know what kind of testing this has received. Perhaps you'd be interested in doing that? Kris Jurka
I thought it was done already, but I am not sure. --------------------------------------------------------------------------- Rich Cullingford wrote: > Has any progress been made in getting SSL support for connections > between Java apps and PG via JDBC? The mail archives seem to say "no" > (at least as of last February). > > If not, a short discussion of what would be involved would be > appreciated. We may have some programmer cycles to apply to such a project. > Thanks, > Rich Cullingford > rculling@sysd.com > > > ---------------------------(end of broadcast)--------------------------- > TIP 4: Don't 'kill -9' the postmaster > -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 359-1001 + If your life is a hard drive, | 13 Roberts Road + Christ can be your backup. | Newtown Square, Pennsylvania 19073
Rich, The SSL support is in 7.4, but it is currently broken. Actually I think it might work against a 7.3 database, but won't work against a 7.4 database with the v3 FE/BE protocol. It worked up until the v3 protocol changes were put in, and I haven't had time to go back and fix it up. Before 7.4 goes production this needs to be cleaned up and the doc needs to be updated to reflect this new feature. I consider the doc updates especially important since it can be difficult to get SSL working under java (java can be difficult to get certificates loaded correctly.) Anyone want to help finish this off? thanks, --Barry Rich Cullingford wrote: > Has any progress been made in getting SSL support for connections > between Java apps and PG via JDBC? The mail archives seem to say "no" > (at least as of last February). > > If not, a short discussion of what would be involved would be > appreciated. We may have some programmer cycles to apply to such a project. > Thanks, > Rich Cullingford > rculling@sysd.com > > > ---------------------------(end of broadcast)--------------------------- > TIP 4: Don't 'kill -9' the postmaster >
Barry Lind <blind@xythos.com> writes:
> The SSL support is in 7.4, but it is currently broken. Actually I think
> it might work against a 7.3 database, but won't work against a 7.4
> database with the v3 FE/BE protocol. It worked up until the v3 protocol
> changes were put in, and I haven't had time to go back and fix it up.
I'm surprised that the protocol changes would have affected SSL support
--- the SSL wrapper goes on, or not, before we do anything
protocol-version-specific. Do you recall exactly what is the
interaction?
regards, tom lane
Tom, In general that may be true. And I didn't into this very much at the time I did my initial v3 protocol work. But in glancing at the code just now, it needs to at least correctly handle a v3 style error response from an ssl handshake request, no? So some work needs to be done. But it may be the case that if you have a successfull handshake the code will work as is. thanks, --Barry Tom Lane wrote: > Barry Lind <blind@xythos.com> writes: > >>The SSL support is in 7.4, but it is currently broken. Actually I think >>it might work against a 7.3 database, but won't work against a 7.4 >>database with the v3 FE/BE protocol. It worked up until the v3 protocol >>changes were put in, and I haven't had time to go back and fix it up. > > > I'm surprised that the protocol changes would have affected SSL support > --- the SSL wrapper goes on, or not, before we do anything > protocol-version-specific. Do you recall exactly what is the > interaction? > > regards, tom lane >
Barry Lind <blind@xythos.com> writes:
> In general that may be true. And I didn't into this very much at the
> time I did my initial v3 protocol work. But in glancing at the code
> just now, it needs to at least correctly handle a v3 style error
> response from an ssl handshake request, no?
Actually not. Any modern postmaster will give you either 'Y' or 'N'
back for an SSL request, whether it's compiled with SSL support or not.
An 'E' response is only possible from postmasters that predate the
introduction of SSL support ... and so it'll be V2 format for sure.
(I'm not sure that you really care what follows 'E' in this case,
anyway. You can just drop the connection and try again without SSL.)
regards, tom lane
On Wed, 6 Aug 2003, Barry Lind wrote: > Before 7.4 goes production this needs to be cleaned up and the doc needs > to be updated to reflect this new feature. I consider the doc updates > especially important since it can be difficult to get SSL working under > java (java can be difficult to get certificates loaded correctly.) I patched our local version of the driver to maken the path to the root certificate file(s) configurable. I'll send in the patch when I have a chance. Brian
Tom, Thanks for the explaination. --Barry Tom Lane wrote: > Barry Lind <blind@xythos.com> writes: > >>In general that may be true. And I didn't into this very much at the >>time I did my initial v3 protocol work. But in glancing at the code >>just now, it needs to at least correctly handle a v3 style error >>response from an ssl handshake request, no? > > > Actually not. Any modern postmaster will give you either 'Y' or 'N' > back for an SSL request, whether it's compiled with SSL support or not. > An 'E' response is only possible from postmasters that predate the > introduction of SSL support ... and so it'll be V2 format for sure. > (I'm not sure that you really care what follows 'E' in this case, > anyway. You can just drop the connection and try again without SSL.) > > regards, tom lane > > ---------------------------(end of broadcast)--------------------------- > TIP 1: subscribe and unsubscribe commands go to majordomo@postgresql.org >