From: | Andrew M <andrew(at)jibeya(dot)com> |
---|---|
To: | John R Pierce <pierce(at)hogranch(dot)com> |
Cc: | pgsql-jdbc(at)postgresql(dot)org, Kris Jurka <books(at)ejurka(dot)com> |
Subject: | Re: PostgreSQL + SSL - sun.security.validator.ValidatorException |
Date: | 2004-12-11 10:20:20 |
Message-ID: | 431C280A-4B5E-11D9-A341-0003938366A4@jibeya.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-jdbc |
Hi,
I have found out how the client certificates are returned to the
server. In the docs:
PostgreSQL 8.0.0beta5 Documentation
Chapter 27. libpq - C Library
27.13. SSL Support
'PostgreSQL has native support for using SSL connections to encrypt
client/server communications for increased security. See Section 16.7
for details about the server-side SSL functionality.
If the server demands a client certificate, libpq will send the
certificate stored in file .postgresql/postgresql.crt within the
user's home directory. A matching private key file
.postgresql/postgresql.key must also be present, and must not be
world-readable.
If the file .postgresql/root.crt is present in the user's home
directory, libpq will use the certificate list stored therein to
verify the server's certificate. The SSL connection will fail if the
server does not present a certificate; therefore, to use this feature
the server must also have a root.crt file.'
The only problem with this is, how do you copy an openssl {key|crt}
pair into a keytool keystore? Importing the crt into a keystore is not
a problem as long as the crt is in x509 format, but the key poses a
problem as the x509 format only handles trusted certificates.
If you start from the other side, the keystore side and generate a
certificate, a {key|crt} is automatically created in the keystore. You
will then have access to the certificate as it is public but the key is
private and cannot, as far a i'm aware, be exported from a keystore.
Any ideas? If anybody knows this, please let me know.
Andrew
On 11 Dec 2004, at 08:11, John R Pierce wrote:
>> It uses specific files relative to the user's $HOME directory. I
>> don't think this translates well into Java and I'm unsure what code
>> would be needed on the driver side to set this up. It would be great
>> if someone more Java+SSL knowledgeable could point us in the right
>> direction here.
>
> if the jdbc driver is using J2SE 1.4 style SecureSockets, then the
> certificate store is in ${JAVA_HOME}/lib/security
> (%JAVA_HOME%\lib\security on Windows)
>
> there is a keytool command in J2SE to manipuate and generate these
> keys.
> http://java.sun.com/j2se/1.4.2/docs/tooldocs/windows/keytool.html
>
>
> ---------------------------(end of
> broadcast)---------------------------
> TIP 9: the planner will ignore your desire to choose an index scan if
> your
> joining column's datatypes do not match
>
From | Date | Subject | |
---|---|---|---|
Next Message | Kris Jurka | 2004-12-11 12:33:41 | Re: PostgreSQL + SSL - sun.security.validator.ValidatorException |
Previous Message | Kris Jurka | 2004-12-11 08:22:55 | Re: PostgreSQL + SSL - sun.security.validator.ValidatorException |