Re: New behavior with JDBC 42.2.5

On 9/21/18 5:46 PM, Ravi Krishna wrote:
>> First are doing a socket connection or a host connection? Socket
>> connections ignore sslmode.
>
> The URL template of JDBC used by dbeaver is jdbc:postgresql://{host}[:{port}]/[{database}]
>
>>From the manual
>
> "The host component is interpreted as described for the parameter host. In particular, a Unix-domain socket connection is chosen if the host part is either empty or starts with a slash, otherwise a TCP/IP connection is initiated."
>
> In our case the host name does not start with a slash. So I conclude it is using TCP/IP.
>
>
>> psql postgresql://localhost:5432/test?sslmode=require
>>
>>
>> psql postgresql://localhost:5432/test?sslmode=disable
>
> We are using dbeaver, not psql. dbeaver also provides disable option for sslmode. I set sslmode=disable and it immediately rejected connection with error "SSL Mode off".
>
> So the puzzle is -> in version 42.1.4 when we do not check "Use SSL " button, connection
> fails with "SSL Mode off". In that version we check the box "Use SSL" and then in the dropdown
> for sslmode, we select sslmode=require. Only then the connection passes.
>
> In version 42.2.5 even if we do not check "Use SSL" it still behaves the same as
> "Use SSL" checked and sslmode=require.
>
> I was not able to import the security bulletin fully, but am I right in concluding
> that JDBC 42.2.5 always turns on sslmode=require unless we explicitly set sslmode=disable.

Looks that way:

https://github.com/pgjdbc/pgjdbc/commit/cdeeaca47dc3bc6f727c79a582c9e4123099526e

Line 181-184

* Parameter governing the use of SSL. The allowed values are {(at)code
disable}, {(at)code allow},
* {(at)code prefer}, {(at)code require}, {(at)code verify-ca}, {(at)code
verify-full}.
* If {(at)code ssl} property is empty or set to {(at)code true} it implies
{(at)code verify-full}.
* Default mode is "require"

>
> Thanks for your help.
>

--
Adrian Klaver
adrian(dot)klaver(at)aklaver(dot)com