|
Tak,
i have modified a driver for this
purpose. It works in a production system together with a v7.1.2 back
end. I have tried to make a patch against
the current jdbc cvs and back-end but i faced several problems as
follows
the most significant objection is that
the current back end uses TLSv1. Using TLSv1 the JSSE reference
implementation(v1.0.3) from Sun Microsystems fails to carry
out the complete handshakeing process. I rewrote several parts of the
7.3 back-end to use SSLv2/3 instead of TLSv1(openssl api) and a
modified driver build from the current cvs (first week of jan. this
year) was able to work correctly and connected to postgresql 7.3 too.
Read the
$PGSQL_SRC/backend/libpq/README.SSL and
$PGSQL_SRC/interfaces/libpq/fe-connect.c,fe-secure.c,fe-misc.c (v7.3) or
$PGSQL_SRC/interfaces/libpq/fe-connect.c (v7.1.2) very carefully before any
programming to study the method how a client asks the back end
to use a secure channel. You have to implement the postgresql "handshake"
process first in the driver then the SSL
handshake. For details of message type formats of the
postgresql see the documentation.
regards,
Istvan Nagy
----- Original Message -----
Sent: Wednesday, February 19, 2003 12:23
AM
Subject: [JDBC] SSL for JDBC
>
Hi
>
> I try to connect to postgresql server by
> SSL via
JDBC.
>
> But I got always error. The handshake always
fail.
>
> I create the SSL Private key 'server.key' and selfsigned
certificate
> 'server.crt' by openssl.
> and configure postgresql to
accept ssl.
>
> When I connect by psql like
>
> #psql
-h 192.168.1.20 TestDB -u
> ---Outpot---------
> psql: Warning: The
-u option is deprecated. Use -U.
> User name: testuser
>
Password:testpass
> Welcome to psql, the PostgreSQL interactive
terminal.
>
> Type: \copyright for distribution terms
>
\h for help with SQL commands
>
\? for help on internal slash
commands
> \g or terminate with
semicolon to execute query
> \q to
quit
>
> SSL connection (cipher: DES-CBC3-SHA, bits: 168)
>
----------------------
>
> So SSL connection is correctly setup in
the postgresql server.
>
> Then, I modified the postgresql Driver,
PG_Stream.java and replcace the
> Socket by SSLSocket as
following.
>
> ++++++++++++++++++++++++++++
> //connection =
new Socket(host, port);
> SSLSocketFactory factory = (SSLSocketFactory)
SSLSocketFactory.getDefault();
> connection = (SSLSocket)
factory.createSocket(host,port);
> connection.startHandshake();
>
> ~~
> //private Socket connection
> private SSLSocket
connection;
> +++++++++++++++++++++++++
>
> Than I add the
certificate into the root CA to be trusted.
> keytool -import -storetype
jks -keystore cacerts -file server.crt
> cacerts is in
java_home/jre/lib/security/cacerts.
>
> But I still got the
error.
>
> -->Exception: The connection attempt failed because
Exception:
> javax.net.ssl.SSL
> Exception: Unrecognized SSL
handshake.
> Stack Trace:
> javax.net.ssl.SSLException: Unrecognized
SSL handshake.
> at
com.sun.net.ssl.internal.ssl.InputRecord.read(DashoA6275)
>
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
>
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
>
at
com.sun.net.ssl.internal.ssl.AppOutputStream.write(DashoA6275)
>
at
java.io.OutputStream.write(OutputStream.java:58)
>
at
>
com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(DashoA6275)
>
at
org.postgresql.PG_Stream.<init>(PG_Stream.java:32)
>
at
>
org.postgresql.jdbc1.AbstractJdbc1Connection.openConnection(AbstractJ
>
dbc1Connection.java:160)
> at
org.postgresql.Driver.connect(Driver.java:122)
>
at
java.sql.DriverManager.getConnection(DriverManager.java:512)
>
at
java.sql.DriverManager.getConnection(DriverManager.java:171)
>
at
test.connectdb(test.java:47)
>
>
> I am wondering if anybody
have successfuly connected from JDBC to PostgreSQL
> by SSL.
>
Please help me!
>
> Hopefully, SSL supported driver is coming
soon!
> Thank you.
>
> Tak
>
>
>
>
> ---------------------------(end of
broadcast)---------------------------
> TIP 2: you can get off all lists
at once with the unregister command
> (send "unregister
YourEmailAddressHere" to majordomo@xxxxxxxxxxxxxx)
>
|
