Quick Links

[pgjdbc/pgjdbc] cdeeac: security: implement SSL hostname verification for ...

From:	Vladimir Sitnikov <sitnikov(dot)vladimir(at)gmail(dot)com>
To:	pgsql-jdbc(at)postgresql(dot)org
Subject:	[pgjdbc/pgjdbc] cdeeac: security: implement SSL hostname verification for ...
Date:	2018-08-27 15:33:09
Message-ID:	5b8419b56fe4b_1cc02b09ca090ed0669d7@hookshot-fe-5a11256.cp1-iad.github.net.mail
Views:	Raw Message \| Whole Thread \| Download mbox \| Resend email
Thread:
Lists:	pgsql-jdbc

Branch: refs/heads/master
Home: https://github.com/pgjdbc/pgjdbc
Commit: cdeeaca47dc3bc6f727c79a582c9e4123099526e
https://github.com/pgjdbc/pgjdbc/commit/cdeeaca47dc3bc6f727c79a582c9e4123099526e
Author: Vladimir Sitnikov <sitnikov(dot)vladimir(at)gmail(dot)com>
Date: 2018-08-27 (Mon, 27 Aug 2018)

Changed paths:
M .travis/travis_configure_ssl.sh
M README.md
M build.properties
R certdir/README
A certdir/README.md
M docs/documentation/head/connect.md
M pgjdbc/src/main/java/org/postgresql/PGProperty.java
M pgjdbc/src/main/java/org/postgresql/core/PGStream.java
M pgjdbc/src/main/java/org/postgresql/core/SocketFactoryFactory.java
M pgjdbc/src/main/java/org/postgresql/core/v3/ConnectionFactoryImpl.java
M pgjdbc/src/main/java/org/postgresql/core/v3/QueryExecutorImpl.java
A pgjdbc/src/main/java/org/postgresql/jdbc/SslMode.java
A pgjdbc/src/main/java/org/postgresql/ssl/DefaultJavaSSLFactory.java
A pgjdbc/src/main/java/org/postgresql/ssl/LazyKeyManager.java
A pgjdbc/src/main/java/org/postgresql/ssl/LibPQFactory.java
M pgjdbc/src/main/java/org/postgresql/ssl/MakeSSL.java
A pgjdbc/src/main/java/org/postgresql/ssl/PGjdbcHostnameVerifier.java
R pgjdbc/src/main/java/org/postgresql/ssl/jdbc4/LazyKeyManager.java
M pgjdbc/src/main/java/org/postgresql/ssl/jdbc4/LibPQFactory.java
M pgjdbc/src/main/java/org/postgresql/util/ObjectFactory.java
M pgjdbc/src/test/java/org/postgresql/test/TestUtil.java
M pgjdbc/src/test/java/org/postgresql/test/jdbc2/NotifyTest.java
M pgjdbc/src/test/java/org/postgresql/test/jdbc4/Jdbc4TestSuite.java
R pgjdbc/src/test/java/org/postgresql/test/jdbc4/LibPQFactoryHostNameTest.java
A pgjdbc/src/test/java/org/postgresql/test/ssl/CommonNameVerifierTest.java
A pgjdbc/src/test/java/org/postgresql/test/ssl/LibPQFactoryHostNameTest.java
M pgjdbc/src/test/java/org/postgresql/test/ssl/SslTest.java
M pgjdbc/src/test/java/org/postgresql/test/ssl/SslTestSuite.java
M ssltest.properties

Log Message:
-----------
security: implement SSL hostname verification for non-default (LibPQFactory) SSL factories (CVE-2018-10936)

In order to configure full SLL verification, `sslmode=verify-full` should be used.
However, previous versions of pgjdbc missed hostname verification for non-default SSL factories,
so `sslmode=verify-full` was effectively the same as `sslmode=verify-ca`.

Default sslfactory (which is LibPQFactory) is not impacted.

Extra changes:
- support for sslmode=allow/prefer/require
- ssl=true is treated as verify-full
- sslfactoryarg and socketFactoryArg are deprecated (as constructors with Properties) can be used.

Commit: fa032732acfe51c6e663ee646dd5c1beaa1af857
https://github.com/pgjdbc/pgjdbc/commit/fa032732acfe51c6e663ee646dd5c1beaa1af857
Author: Dave Cramer <davecramer(at)gmail(dot)com>
Date: 2018-08-27 (Mon, 27 Aug 2018)

Changed paths:
M docs/documentation/head/connect.md
M docs/documentation/head/media/css/table.css
M docs/documentation/head/ssl-client.md
M docs/documentation/head/ssl-factory.md

Log Message:
-----------
docs: improve documentation on SSL

Commit: 237a89bf3058a16a3de37b8c92d2a4d850c6c056
https://github.com/pgjdbc/pgjdbc/commit/237a89bf3058a16a3de37b8c92d2a4d850c6c056
Author: Vladimir Sitnikov <sitnikov(dot)vladimir(at)gmail(dot)com>
Date: 2018-08-27 (Mon, 27 Aug 2018)

Changed paths:
M CHANGELOG.md

Log Message:
-----------
Update changelog for 42.2.5

Commit: c8a639edbd0cf39453048f1fd7d9412ec8e09293
https://github.com/pgjdbc/pgjdbc/commit/c8a639edbd0cf39453048f1fd7d9412ec8e09293
Author: Vladimir Sitnikov <sitnikov(dot)vladimir(at)gmail(dot)com>
Date: 2018-08-27 (Mon, 27 Aug 2018)

Changed paths:
M CHANGELOG.md
M contributors.json
A docs/_posts/2018-08-27-42.2.5-release.md

Log Message:
-----------
docs: update site for 42.2.5

Compare: https://github.com/pgjdbc/pgjdbc/compare/c2885dd0cfc7...c8a639edbd0c
**NOTE:** This service has been marked for deprecation: https://developer.github.com/changes/2018-04-25-github-services-deprecation/

Functionality will be removed from GitHub.com on January 31st, 2019.

Browse pgsql-jdbc by date

	From	Date	Subject
Next Message	Vladimir Sitnikov	2018-08-27 15:33:47	[pgjdbc/pgjdbc] b3821b: [maven-release-plugin] prepare release REL42.2.4
Previous Message	Dave Cramer	2018-08-20 11:01:52	Re: Java 11 Compatibility check postgresqljdbc41.jar