Thread: SSL URL

SSL URL

From
Phil Moors
Date:
pg 7.4.2-1
pg74.214.jdbc3.jar

I'd like to use this jdbc driver with ColdFusion. However, CF seems to
have hard coded their jdbc driver configuration to only accept some
standard parameters. I can't find a way to pass SSLMODE=require to the
darn thing. The CF manual also says that the use of CONNECTSTRING is not
enabled for the jdbc interface. Go figure.

Where would I tweak the source to set the jdbc driver to default to SSL?
It's okay if this completely disables clear text mode. I took a quick
grep through the pg source and didn't see an obvious place, other than
the backend server. In poking through the contents of the jar file, I
see ssl and javax/net, but don't see these referenced in the pg source.
Sorry, I'm just not a Java guy (buries head).

I'd rather get native SSL support than use stunnel.

TIA
Phil

Re: SSL URL

From
Kris Jurka
Date:

On Wed, 21 Jul 2004, Phil Moors wrote:

> pg 7.4.2-1
> pg74.214.jdbc3.jar
>
> I'd like to use this jdbc driver with ColdFusion. However, CF seems to
> have hard coded their jdbc driver configuration to only accept some
> standard parameters. I can't find a way to pass SSLMODE=require to the
> darn thing. The CF manual also says that the use of CONNECTSTRING is not
> enabled for the jdbc interface. Go figure.

Surely there must be a way of specifying parameters to it.  Could you
explain how you are currently establishing the connection?

> Where would I tweak the source to set the jdbc driver to default to SSL?

If this is the only way to do it, then in the 7.4 source tree see
org/postgresql/jdcb1/AbstractJdbc1Connection.java in the openConnection
method:

                if (info.getProperty("ssl") != null && Driver.sslEnabled())
                {
                        useSSL = true;
                }
                else
                {
                        useSSL = false;
                }


Kris Jurka

Re: SSL URL

From
Phil Moors
Date:
On Wed, 2004-07-21 at 16:43, Kris Jurka wrote:
> On Wed, 21 Jul 2004, Phil Moors wrote:
>
> > pg 7.4.2-1
> > pg74.214.jdbc3.jar
> >
> > I'd like to use this jdbc driver with ColdFusion. However, CF seems to
> > have hard coded their jdbc driver configuration to only accept some
> > standard parameters. I can't find a way to pass SSLMODE=require to the
> > darn thing. The CF manual also says that the use of CONNECTSTRING is not
> > enabled for the jdbc interface. Go figure.
>
> Surely there must be a way of specifying parameters to it.  Could you
> explain how you are currently establishing the connection?
>
> > Where would I tweak the source to set the jdbc driver to default to SSL?
>
> If this is the only way to do it, then in the 7.4 source tree see
> org/postgresql/jdcb1/AbstractJdbc1Connection.java in the openConnection
> method:
>
>                 if (info.getProperty("ssl") != null && Driver.sslEnabled())
>                 {
>                         useSSL = true;
>                 }
>                 else
>                 {
>                         useSSL = false;
>                 }
>
>
> Kris Jurka

Thanks!

Re: SSL URL

From
Blaine Simpson
Date:
I don't have time to test it myself with pg, but in general you can
append any parameters to the
connection URL.  I don't know how universal it is, but you can even pass
username and password
in the connection URL instead of with separate settings.  It basically
goes URL + ; + name=val....
like

    jdbc:hsqldb:hsql://localhost/enrollments;ifexists=true

Hopefully CF will let you specify the connection URL itself any way you
want, since it is
up to the DB vendor what URL formats they support.


Kris Jurka wrote:

>On Wed, 21 Jul 2004, Phil Moors wrote:
>
>
>
>>pg 7.4.2-1
>>pg74.214.jdbc3.jar
>>
>>I'd like to use this jdbc driver with ColdFusion. However, CF seems to
>>have hard coded their jdbc driver configuration to only accept some
>>standard parameters. I can't find a way to pass SSLMODE=require to the
>>darn thing. The CF manual also says that the use of CONNECTSTRING is not
>>enabled for the jdbc interface. Go figure.
>>
>>
>
>Surely there must be a way of specifying parameters to it.  Could you
>explain how you are currently establishing the connection?
>
>
>
>>Where would I tweak the source to set the jdbc driver to default to SSL?
>>
>>
>
>If this is the only way to do it, then in the 7.4 source tree see
>org/postgresql/jdcb1/AbstractJdbc1Connection.java in the openConnection
>method:
>
>                if (info.getProperty("ssl") != null && Driver.sslEnabled())
>                {
>                        useSSL = true;
>                }
>                else
>                {
>                        useSSL = false;
>                }
>
>
>Kris Jurka
>
>---------------------------(end of broadcast)---------------------------
>TIP 5: Have you checked our extensive FAQ?
>
>               http://www.postgresql.org/docs/faqs/FAQ.html
>
>


--
ICF:  703-934-3692       Cell:  703-944-9317


Re: SSL URL

From
Phil Moors
Date:
On Wed, 2004-07-21 at 16:54, Blaine Simpson wrote:
> I don't have time to test it myself with pg, but in general you can
> append any parameters to the
> connection URL.  I don't know how universal it is, but you can even pass
> username and password
> in the connection URL instead of with separate settings.  It basically
> goes URL + ; + name=val....
> like
>
>     jdbc:hsqldb:hsql://localhost/enrollments;ifexists=true
>
> Hopefully CF will let you specify the connection URL itself any way you
> want, since it is
> up to the DB vendor what URL formats they support.
>
Doesn't look like CF supports anything but what they hardcoded into
their jdbc config:

Attribute validation error for tag CFQUERY.
The tag does not allow the attribute(s) SSLMODE. The valid attribute(s)
are BLOCKFACTOR,CACHEDAFTER,CACHEDWITHIN,CONNECTSTRING,
DATASOURCE,DBNAME,DBPOOL,DBSERVER,DBTYPE,DEBUG,
MAXROWS,NAME,PASSWORD,PROVIDER,PROVIDERDSN,SQL,
TIMEOUT,USERNAME.

Then, reading the manual, they say that connectstring is disabled for
JDBC drivers. Indeed, anything I type into connectstring is completely
ignored by CF.

Phil

>
> Kris Jurka wrote:
>
> >On Wed, 21 Jul 2004, Phil Moors wrote:
> >
> >
> >
> >>pg 7.4.2-1
> >>pg74.214.jdbc3.jar
> >>
> >>I'd like to use this jdbc driver with ColdFusion. However, CF seems to
> >>have hard coded their jdbc driver configuration to only accept some
> >>standard parameters. I can't find a way to pass SSLMODE=require to the
> >>darn thing. The CF manual also says that the use of CONNECTSTRING is not
> >>enabled for the jdbc interface. Go figure.
> >>
> >>
> >
> >Surely there must be a way of specifying parameters to it.  Could you
> >explain how you are currently establishing the connection?
> >
> >
> >
> >>Where would I tweak the source to set the jdbc driver to default to SSL?
> >>
> >>
> >
> >If this is the only way to do it, then in the 7.4 source tree see
> >org/postgresql/jdcb1/AbstractJdbc1Connection.java in the openConnection
> >method:
> >
> >                if (info.getProperty("ssl") != null && Driver.sslEnabled())
> >                {
> >                        useSSL = true;
> >                }
> >                else
> >                {
> >                        useSSL = false;
> >                }
> >
> >
> >Kris Jurka
> >
> >---------------------------(end of broadcast)---------------------------
> >TIP 5: Have you checked our extensive FAQ?
> >
> >               http://www.postgresql.org/docs/faqs/FAQ.html
> >
> >
>

Re: SSL URL

From
Phil Moors
Date:
On Wed, 2004-07-21 at 16:43, Kris Jurka wrote:

> If this is the only way to do it, then in the 7.4 source tree see
> org/postgresql/jdcb1/AbstractJdbc1Connection.java in the openConnection
> method:
>
>                 if (info.getProperty("ssl") != null && Driver.sslEnabled())
>                 {
>                         useSSL = true;
>                 }
>                 else
>                 {
>                         useSSL = false;
>                 }
>

I changed false to true and recompiled. The resulting postgresql.jar
file trips the following errors. I'm using a self signed certificate for
an internal development box. I used the Sun sdk version 1.4.2_05 because
ColdFusion's jre is 1.4.2.

Connection verification failed for data source: dweb
[]java.sql.SQLException: An I/O error has occured while flushing the
output - Exception: javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: No trusted certificate found
Stack Trace: javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: No trusted certificate found
at com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a(DashoA6275) at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275) at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275) at
com.sun.net.ssl.internal.ssl.SunJSSE_az.a(DashoA6275) at
com.sun.net.ssl.internal.ssl.SunJSSE_az.a(DashoA6275) at
com.sun.net.ssl.internal.ssl.SunJSSE_ax.a(DashoA6275) at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275) at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.j(DashoA6275) at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275) at
com.sun.net.ssl.internal.ssl.AppOutputStream.write(DashoA6275) at
java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:66)
at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:124) at
org.postgresql.core.PGStream.flush(PGStream.java:412) at
org.postgresql.jdbc1.AbstractJdbc1Connection.openConnectionV3(AbstractJdbc1Connection.java:284) at
org.postgresql.jdbc1.AbstractJdbc1Connection.openConnection(AbstractJdbc1Connection.java:213)at
org.postgresql.Driver.connect(Driver.java:139)at
coldfusion.server.j2ee.sql.pool.JDBCPool.createPhysicalConnection(JDBCPool.java:511)at
coldfusion.server.j2ee.sql.pool.ConnectionRunner$RunnableConnection.run(ConnectionRunner.java:64)at
java.lang.Thread.run(Thread.java:534)Caused by: sun.security.validator.ValidatorException: No trusted certificate found
atsun.security.validator.SimpleValidator.buildTrustedChain(SimpleValidator.java:304) at
sun.security.validator.SimpleValidator.engineValidate(SimpleValidator.java:107)at
sun.security.validator.Validator.validate(Validator.java:202)at
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(DashoA6275)at
com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(DashoA6275)... 16 more End of Stack Trace  
The root cause was that: java.sql.SQLException: An I/O error has occured
while flushing the output - Exception:
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: No trusted certificate found
Stack Trace: javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: No trusted certificate found
at com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a(DashoA6275) at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275) at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275) at
com.sun.net.ssl.internal.ssl.SunJSSE_az.a(DashoA6275) at
com.sun.net.ssl.internal.ssl.SunJSSE_az.a(DashoA6275) at
com.sun.net.ssl.internal.ssl.SunJSSE_ax.a(DashoA6275) at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275) at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.j(DashoA6275) at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275) at
com.sun.net.ssl.internal.ssl.AppOutputStream.write(DashoA6275) at
java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:66)
at java.io.Buffere...

Phil

Re: SSL URL

From
Kris Jurka
Date:

On Thu, 22 Jul 2004, Phil Moors wrote:

> I changed false to true and recompiled. The resulting postgresql.jar
> file trips the following errors. I'm using a self signed certificate for
> an internal development box. I used the Sun sdk version 1.4.2_05 because
> ColdFusion's jre is 1.4.2.
>
> Connection verification failed for data source: dweb
> []java.sql.SQLException: An I/O error has occured while flushing the
> output - Exception: javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: No trusted certificate found


You need to import the certificate into your jvm's trust store, so it can
verify that it is talking to the correct server.  See:

http://archives.postgresql.org/pgsql-jdbc/2003-08/msg00110.php

Kris Jurka