Thread: SSL - NonValidatingFactory
Hello, I am having problems making SSL connection to PostgreSQL 8.3.7 with the jdbc driver, when using the NonValidatingFactory. The server constantly rejects the connection saying there is no certificate presented. There is no problem when NonValidatingFactory is not in use, and a keystore + truststore are used by the usual mechanism (-Djavax.ssl...). According to the PostgreSQl server documentation, if a root.crt cerfificate is present in the data directory of the database cluster, the server requires that a client certificate must be verified. The NonValidatingFactory is supposed to bypass any credentials presentation to the server. How can one manage to use the NonValidatingFactory successfully ? just for traffic encryption. Thank you. SET nmset@netcourrier.com
On Fri, 24 Jul 2009, nmset@netcourrier.com wrote: > I am having problems making SSL connection to PostgreSQL 8.3.7 with the > jdbc driver, when using the NonValidatingFactory. The server constantly > rejects the connection saying there is no certificate presented. > > There is no problem when NonValidatingFactory is not in use, and a > keystore + truststore are used by the usual mechanism (-Djavax.ssl...). > > According to the PostgreSQl server documentation, if a root.crt > cerfificate is present in the data directory of the database cluster, > the server requires that a client certificate must be verified. > > The NonValidatingFactory is supposed to bypass any credentials > presentation to the server. The NonValidatingFactory does not verify the information presented by the server. It cannot convince the server to avoid verifying the client certificate. If the server is configured to require a client cert, it wouldn't make a lot of sense to allow a client to turn off that verification. The documentation was written at a time when we didn't think client certificate presentation worked, so it didn't really consider that possibility. So if you really want encryption only and no validation, you need to turn off the client certificate requirement on the server end. Kris Jurka
OK, that's a clear explanation.
I don't know if devs on this forum are server devs too. I would suggest that irrespective of the presence of a server trusted cert (root.crt) that the server be usable by the client, as his any time choice, for encryption only and/or server/client authentication. Other RDBMS allow that : Oracle, Apache Derby and MySQL. Although traffic encryption only raises security concerns, it may be helpful in some limited cases.
Thank you for replying.
On Fri, 24 Jul 2009, Saleem EDAH-TALLY wrote: > I don't know if devs on this forum are server devs too. I would suggest > that irrespective of the presence of a server trusted cert (root.crt) > that the server be usable by the client, as his any time choice, for > encryption only and/or server/client authentication. Other RDBMS allow > that : Oracle, Apache Derby and MySQL. Although traffic encryption only > raises security concerns, it may be helpful in some limited cases. That's not going to happen. A server configured with a root.crt file is essentially saying, "Clients must present a certificate to be authenticated." Allowing a client to bypass that check is a serious security hole. You might as well request that the client should be allowed to decide not to provide a password even if the server requests it and be able to connect. Kris Jurka
In fact, my last post was too hasty and not well thought. You are totally right. Moreover, my comments about the other RDBMS are wrong, they do oblige the client to present a valid cert if they are configured so.
Please accept my apologies for this erronous and hasty post, which would be deleted at best.
Regards.
----- Original Message ----- From: Saleem EDAH-TALLY >OK, that's a clear explanation. >I don't know if devs on this forum are server devs too. I would suggest >that irrespective of the presence of a server trusted cert (root.crt) that >the server be usable by the client, as his any time choice, for >encryption only and/or server/client authentication. Other RDBMS allow >that : Oracle, Apache Derby and MySQL. >Although traffic encryption only raises security concerns, it may be >helpful in some limited cases. Can I just say my two cents worth. I think what you want is server authentication, which is achieved with server certificates. That is a server.crt and server.key files in the data directory of the server. The client can choose, if configured correctly in pg_hba.conf, whether they want to connect with ssl or not and this is when you might want the NonValidatingFactory, which I would guess means you don't need the server's public key certificate in the Java key store to validate against. Regards Donald