Re: PostgreSQL + SSL - sun.security.validator.ValidatorException

Hi,

I have found out how the client certificates are returned to the
server. In the docs:


<bold><x-tad-smaller>PostgreSQL 8.0.0beta5 Documentation

Chapter 27. libpq - C Library

27.13. SSL Support</x-tad-smaller></bold><x-tad-smaller>


</x-tad-smaller><bold><x-tad-smaller>'PostgreSQL has native support
for using  SSL connections to encrypt client/server communications
for increased security. See Section 16.7 for details  about the
server-side SSL functionality.


 If the server demands a client certificate,  libpq  will send the
certificate stored in file  .postgresql/postgresql.crt within the
user's home directory.  A matching private key file
.postgresql/postgresql.key  must also be present, and must not be
world-readable.


 If the file .postgresql/root.crt is present in the user's  home
directory,  libpq will use the certificate list stored  therein to
verify the server's certificate. The SSL connection will  fail if the
server does not present a certificate; therefore, to  use this feature
the server must also have a root.crt file.'

</x-tad-smaller>

</bold>

The only problem with this is, how do you copy an openssl {key|crt}
pair into a keytool keystore? Importing the crt into a keystore is not
a problem as long as the crt is in x509 format, but the key poses a
problem as the x509 format only handles trusted certificates.


If you start from the other side, the keystore side and generate a
certificate, a {key|crt} is automatically created in the keystore. You
will then have access to the certificate as it is public but the key
is private and cannot, as far a i'm aware, be exported from a keystore.


Any ideas? If anybody knows this, please let me know.


Andrew


On 11 Dec 2004, at 08:11, John R Pierce wrote:


<excerpt><excerpt>It uses specific files relative to the user's $HOME
directory.  I don't think this translates well into Java and I'm
unsure what code would be needed on the driver side to set this up.
It would be great if someone more Java+SSL knowledgeable could point
us in the right direction here.

</excerpt>

if the jdbc driver is using J2SE 1.4 style SecureSockets, then the
certificate store is in ${JAVA_HOME}/lib/security
(%JAVA_HOME%\lib\security on Windows)


there is a keytool command in J2SE to manipuate and generate these
keys.

http://java.sun.com/j2se/1.4.2/docs/tooldocs/windows/keytool.html



---------------------------(end of
broadcast)---------------------------

TIP 9: the planner will ignore your desire to choose an index scan if
your

     joining column's datatypes do not match


</excerpt>
Hi,
I have found out how the client certificates are returned to the
server. In the docs:

PostgreSQL 8.0.0beta5 Documentation
Chapter 27. libpq - C Library
27.13. SSL Support

'PostgreSQL has native support for using  SSL connections to encrypt
client/server communications  for increased security. See Section 16.7
for details  about the server-side SSL functionality.

  If the server demands a client certificate,  libpq  will send the
certificate stored in file  .postgresql/postgresql.crt within the
user's home directory.  A matching private key file
.postgresql/postgresql.key  must also be present, and must not be
world-readable.

  If the file .postgresql/root.crt is present in the user's  home
directory,  libpq will use the certificate list stored  therein to
verify the server's certificate. The SSL connection will  fail if the
server does not present a certificate; therefore, to  use this feature
the server must also have a root.crt file.'


The only problem with this is, how do you copy an openssl {key|crt}
pair into a keytool keystore? Importing the crt into a keystore is not
a problem as long as the crt is in x509 format, but the key poses a
problem as the x509 format only handles trusted certificates.

If you start from the other side, the keystore side and generate a
certificate, a {key|crt} is automatically created in the keystore. You
will then have access to the certificate as it is public but the key is
private and cannot, as far a i'm aware, be exported from a keystore.

Any ideas? If anybody knows this, please let me know.

Andrew

On 11 Dec 2004, at 08:11, John R Pierce wrote:

>> It uses specific files relative to the user's $HOME directory.  I
>> don't think this translates well into Java and I'm unsure what code
>> would be needed on the driver side to set this up.  It would be great
>> if someone more Java+SSL knowledgeable could point us in the right
>> direction here.
>
> if the jdbc driver is using J2SE 1.4 style SecureSockets, then the
> certificate store is in ${JAVA_HOME}/lib/security
> (%JAVA_HOME%\lib\security on Windows)
>
> there is a keytool command in J2SE to manipuate and generate these
> keys.
> http://java.sun.com/j2se/1.4.2/docs/tooldocs/windows/keytool.html
>
>
> ---------------------------(end of
> broadcast)---------------------------
> TIP 9: the planner will ignore your desire to choose an index scan if
> your
>      joining column's datatypes do not match
>