Thread: SSL - NonValidatingFactory

SSL - NonValidatingFactory

From
nmset@netcourrier.com
Date:
Hello,

I am having problems making SSL connection to PostgreSQL 8.3.7 with the
jdbc driver, when using the NonValidatingFactory. The server constantly
rejects the connection saying there is no certificate presented.

There is no problem when NonValidatingFactory is not in use, and a
keystore + truststore are used by the usual mechanism (-Djavax.ssl...).

According to the PostgreSQl server documentation, if a root.crt
cerfificate is present in the data directory of the database cluster,
the server requires that a client certificate must be verified.

The NonValidatingFactory is supposed to bypass any credentials
presentation to the server.

How can one manage to use the NonValidatingFactory successfully ? just
for traffic encryption.

Thank you.


SET
nmset@netcourrier.com


Re: SSL - NonValidatingFactory

From
Kris Jurka
Date:

On Fri, 24 Jul 2009, nmset@netcourrier.com wrote:

> I am having problems making SSL connection to PostgreSQL 8.3.7 with the
> jdbc driver, when using the NonValidatingFactory. The server constantly
> rejects the connection saying there is no certificate presented.
>
> There is no problem when NonValidatingFactory is not in use, and a
> keystore + truststore are used by the usual mechanism (-Djavax.ssl...).
>
> According to the PostgreSQl server documentation, if a root.crt
> cerfificate is present in the data directory of the database cluster,
> the server requires that a client certificate must be verified.
>
> The NonValidatingFactory is supposed to bypass any credentials
> presentation to the server.


The NonValidatingFactory does not verify the information presented by the
server.  It cannot convince the server to avoid verifying the client
certificate.  If the server is configured to require a client cert,
it wouldn't make a lot of sense to allow a client to turn off that
verification.  The documentation was written at a time when we didn't
think client certificate presentation worked, so it didn't really consider
that possibility.  So if you really want encryption only and no
validation, you need to turn off the client certificate requirement on the
server end.

Kris Jurka

Re: SSL - NonValidatingFactory

From
"Saleem EDAH-TALLY"
Date:
OK, that's a clear explanation.


I don't know if devs on this forum are server devs too. I would suggest that irrespective of the presence of a server trusted cert (root.crt) that the server be usable by the client, as his any time choice, for encryption only and/or server/client authentication. Other RDBMS allow that : Oracle, Apache Derby and MySQL. Although traffic encryption only raises security concerns, it may be helpful in some limited cases.


Thank you for replying.


Re: SSL - NonValidatingFactory

From
Kris Jurka
Date:

On Fri, 24 Jul 2009, Saleem EDAH-TALLY wrote:

> I don't know if devs on this forum are server devs too. I would suggest
> that irrespective of the presence of a server trusted cert (root.crt)
> that the server be usable by the client, as his any time choice, for
> encryption only and/or server/client authentication. Other RDBMS allow
> that : Oracle, Apache Derby and MySQL. Although traffic encryption only
> raises security concerns, it may be helpful in some limited cases.

That's not going to happen.  A server configured with a root.crt file is
essentially saying, "Clients must present a certificate to be
authenticated."  Allowing a client to bypass that check is a serious
security hole.  You might as well request that the client should be
allowed to decide not to provide a password even if the server requests
it and be able to connect.

Kris Jurka

Re: SSL - NonValidatingFactory

From
"Saleem EDAH-TALLY"
Date:
In fact, my last post was too hasty and not well thought. You are totally right. Moreover, my comments about the other RDBMS are wrong, they do oblige the client to present a valid cert if they are configured so.


Please accept my apologies for this erronous and hasty post, which would be deleted at best.


Regards.


Re: SSL - NonValidatingFactory

From
"Donald Fraser"
Date:
----- Original Message -----
From: Saleem EDAH-TALLY


>OK, that's a clear explanation.

>I don't know if devs on this forum are server devs too. I would suggest
>that irrespective of the presence of a server trusted cert (root.crt) that
>the server be usable by the client, as his any time choice, for
>encryption only and/or server/client authentication. Other RDBMS allow
>that : Oracle, Apache Derby and MySQL.
>Although traffic encryption only raises security concerns, it may be
>helpful in some limited cases.

Can I just say my two cents worth.
I think what you want is server authentication, which is achieved with
server certificates. That is a server.crt and server.key files in the data
directory of the server.
The client can choose, if configured correctly in pg_hba.conf, whether they
want to connect with ssl or not and this is when you might want the
NonValidatingFactory, which I would guess means you don't need the server's
public key certificate in the Java key store to validate against.

Regards
Donald