Re: SSL without verifying server certificate

 --- Oliver Jowett <oliver@opencloud.com> schrieb: >
Oliver Nolden wrote:

Thank for your answer. You're rigth, but for me the
authentication of the server is not important,
I only want a secure connection between applet and
database.

In the meantime I solved my problem: I modified the
postgres jdbc driver "pg74jdbc3", so that I can use it
for SSL connection without verifyinf the server
certificate, So I dont't have to import the server
certificate on the client machine. Now I can use the
applet on every machine.

If somebody is interested in, I could send him the
modified driver.

OLiver

> > Hi everyone,
> >
> > I want to realize a secure database connection
> with jdbc and SSL
> > between an applet and a postgres database 7.4. The
> driver pg74jdbc3.jar
> > supports SSL, I created the server certificates
> with OpenSSL. The
> > postgres server works fine with ssl. To establish
> a ssl connection with
> > the client, you have to import the self-signed
> certificate to the
> > client`s machine.
> >
> > Now my question: Is it possible to establish a ssl
> connection without
> > importing the server certificate to the client
> machine? i.e. that
> > the jdbc driver does not verify the self-signed
> server certificate?
> > Thereby I could use the applet on every computer.
>
> If you do this, you become vulnerable to
> man-in-the-middle attacks.
> Might as well just use an unencrypted connection in
> the first place.
>
> -O




Mit schönen Grüßen von Yahoo! Mail - http://mail.yahoo.de