| From: | Kris Jurka <books(at)ejurka(dot)com> |
|---|---|
| To: | nmset(at)netcourrier(dot)com |
| Cc: | pgsql-jdbc(at)postgresql(dot)org |
| Subject: | Re: SSL - NonValidatingFactory |
| Date: | 2009-07-24 15:22:32 |
| Message-ID: | alpine.BSO.2.00.0907241116210.7577@leary.csoft.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-jdbc |
On Fri, 24 Jul 2009, nmset(at)netcourrier(dot)com wrote:
> I am having problems making SSL connection to PostgreSQL 8.3.7 with the
> jdbc driver, when using the NonValidatingFactory. The server constantly
> rejects the connection saying there is no certificate presented.
>
> There is no problem when NonValidatingFactory is not in use, and a
> keystore + truststore are used by the usual mechanism (-Djavax.ssl...).
>
> According to the PostgreSQl server documentation, if a root.crt
> cerfificate is present in the data directory of the database cluster,
> the server requires that a client certificate must be verified.
>
> The NonValidatingFactory is supposed to bypass any credentials
> presentation to the server.
The NonValidatingFactory does not verify the information presented by the
server. It cannot convince the server to avoid verifying the client
certificate. If the server is configured to require a client cert,
it wouldn't make a lot of sense to allow a client to turn off that
verification. The documentation was written at a time when we didn't
think client certificate presentation worked, so it didn't really consider
that possibility. So if you really want encryption only and no
validation, you need to turn off the client certificate requirement on the
server end.
Kris Jurka
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Saleem EDAH-TALLY | 2009-07-24 18:57:28 | Re: SSL - NonValidatingFactory |
| Previous Message | Daniel Migowski | 2009-07-24 10:07:16 | Re: Encoding from CopyManager.copyIn() |