Re: JDBC SSL hostname verification

On 6/08/2011 11:00 AM, Bruno Harbulot wrote:
> Hello,
>
> I have noticed that I was able to connect using SSL (with a trusted
> certificate) to a server using a name that doesn't match that in the
> certificate.
>
> For example, if both "sql.example.com" and "other.example.net" point
> to the same IP address, but the certificate is not issued to
> "other.example.net" (only "sql.example.com"), the following works when
> it shouldn't:
>
> Properties props = new Properties();
> props.setProperty("user", "username");
> props.setProperty("password", "xxxxxxxx");
> props.setProperty("ssl", "true");
> Connection jdbcConnection =
> DriverManager.getConnection("jdbc:postgresql://other.example.net/db",
> props)
>
> Hostname verification (what 'verify-full' does with psql) is necessary
> for ensuring the security of the connection. Verifying that the
> certificate is trusted isn't sufficient.

JSSE doesn't verify the hostname automatically. Quoting the JSSE
reference guide for Java 6:

"When using raw SSLSockets/SSLEngines you should always check the peer's
credentials before sending any data. The SSLSocket and SSLEngine classes
do not automatically verify that the hostname in a URL matches the
hostname in the peer's credentials. An application could be exploited
with URL spoofing if the hostname is not verified."

I was under the impression that PgJDBC verified the hostname its self
unless verification was disabled, but it seems not. Hmm. I guess you can
use a custom SSLSocketFactory to do the verification, but it really
should be something done by the stock JDBC driver. Patch?

--
Craig Ringer