Re: JDBC connection test with SSL on PG 9.2.1 server

On Tuesday, January 29, 2013 10:12 PM danap wrote:
>Hari Babu wrote:
>> On Monday, January 28, 2013 10:20 PM, Dave Cramer wrote:
>>
>> >>On Mon, Jan 28, 2013 at 9:03 AM, Hari Babu <haribabu(dot)kommi(at)huawei(dot)com
>> <mailto:haribabu(dot)kommi(at)huawei(dot)com>> wrote:
>>
>> >>While testing PostgreSQL JDBC java client to connect to the PG 9.2.1
>> >>database server using SSL.
>> >>we got the following behavior.
>> >>
>> >>The test steps as below：
>> >>
>> >>url = "jdbc:postgresql://" + "10.145.98.227" + ':'
>> >> + "8707" + '/'
>> >> + "POSTGRES";
>> >> Properties props = new Properties();
>> >> props.setProperty("user", "CLIENT");
>> >> props.setProperty("password", "1234(at)QWER");
>> >> props.setProperty("ssl", "true");
>> >>
>> >> System.setProperty("javax.net.ssl.trustStore", "193store");
>> >> System.setProperty("javax.net.ssl.keyStore", "193client.jks");
>> >> System.setProperty("javax.net.ssl.trustStorePassword", "qwerty");
>> >> System.setProperty("javax.net.ssl.keyStorePassword", "qwerty");
>> >>
>> >> /*Begin the first ssl connection*/
>> >> conn1 = DriverManager.getConnection(url, props);
>> >> System.out.println("Connection1 successful!");
>> >>
>> >>
>> >> System.setProperty("javax.net.ssl.trustStore", "193store");
>> >> System.setProperty("javax.net.ssl.keyStore", "193client.jks");
>> >> System.setProperty("javax.net.ssl.trustStorePassword", "qwerty");
>> >> System.setProperty("javax.net.ssl.keyStorePassword", "wrongpassword");
>> >>
>> >> /*Begin the second ssl connection*/
>> >> conn2 = DriverManager.getConnection(url, props);
>> >> System.out.println("Connection2 successful!");
>> >>
>> >>Before first connection we set
>> >>"System.setProperty("javax.net.ssl.keyStorePassword", "qwerty");"
>> qwerty is
>> >>the right password
>> >>and before second SSL connection we set
>> >>"System.setProperty("javax.net.ssl.keyStorePassword", "wrongpassword");"
>> >>wrongpassword is the wrong password.
>> >>
>> >>we expect the first SSL connection will be successful and second failed
>> >>because of wrong password, but actually we get two successful SSL
>> >>connections.
>> >>We found that if the first SSL connections password set right, all the
>> >>following SSL connections are fine ,even set wrong keystroke password.
>> >>
>> >>1. Is this a defect about JDBC?
>> >>2. Is it SSL behavior to authenticate only once?
>> >>3. Is it system property behavior can be set only once.
>> >>4. Is it because of any other problems?
>> >>
>> >>please give your suggestions?
>>
>> >JDBC uses java's SSL infrastructure, as such I don't think it's a
>> defect in JDBC. It could be because your truststore >does not require a
>> password.
>>
>> I removed the trustStorePassword setting from the test, still the second
>> connection is getting success with the wrong
>>
>> keyStorePassword.

>Can you please set the property logLevel=1, INFO
>and then reply back with the output. You may also
>try logLevel=2, DEBUG for additional information.

How to set logLevel=1 INFO and logLevel =2 DEBUG. Is it is JDBC logging or something else?

We tried to get the SSL specific log by setting the system property for javax.net.debug as
"ssl" (system.setProperty("javax.net.debug", "ssl"). With this we got connection logs for each of the connection which are attached in the mail.

For the first connection, it is opening the keys file and then does init for keyStore and trustStore. But incase of second connection it just uses the previous cached session and does not open any of the file set in the property. So may be that is the reason even if wrong file or password is given before second connection, connection is successful.

From the logs we feel that SSL caching may be causing the problem.
Is there any exposed JSSE interface function to disable SSL session caching?
If you can derive something from the attached logs, please let us know.

How to set the SSL property "sslfactory" from application with some valid class?
Our idea is that JDBC convert function execution goes to the else part of
"if (classname == null)".

The code snippet is attached:

String classname = info.getProperty("sslfactory");
if (classname == null)
{
//If sslmode is set, use the libp compatible factory
if (sslmode!=null)
{
factory = new LibPQFactory(info);
}
else
{
factory = (SSLSocketFactory)SSLSocketFactory.getDefault();
}
}
else
{
try
{
factory = (SSLSocketFactory)instantiate(classname, info, true, info.getProperty("sslfactoryarg"));
}
catch (Exception e)
{
throw new PSQLException(GT.tr("The SSLSocketFactory class provided {0} could not be instantiated.", classname), PSQLState.CONNECTION_FAILURE, e);
}
}

Regards,
Hari babu.