Обсуждение: SSL without verifying server certificate
Hi everyone, I want to realize a secure database connection with jdbc and SSL between an applet and a postgres database 7.4. The driver pg74jdbc3.jar supports SSL, I created the server certificates with OpenSSL. The postgres server works fine with ssl. To establish a ssl connection with the client, you have to import the self-signed certificate to the client`s machine. Now my question: Is it possible to establish a ssl connection without importing the server certificate to the client machine? i.e. that the jdbc driver does not verify the self-signed server certificate? Thereby I could use the applet on every computer. Is there a version of the postgres jdbc driver, which allows a ssl connection without verifying the server certificate? Or is it possible to modify the source code of the current postgres jdbc driver, so that the jdbc driver does not verify the server certicate and allow ssl conection? Thanks a lot in advance, Oliver |
Mit schönen Grüßen von Yahoo! Mail.
Für die Bilder Ihrer Lieben - Yahoo! Fotos - kostenlos!
Oliver Nolden wrote: > Hi everyone, > > I want to realize a secure database connection with jdbc and SSL > between an applet and a postgres database 7.4. The driver pg74jdbc3.jar > supports SSL, I created the server certificates with OpenSSL. The > postgres server works fine with ssl. To establish a ssl connection with > the client, you have to import the self-signed certificate to the > client`s machine. > > Now my question: Is it possible to establish a ssl connection without > importing the server certificate to the client machine? i.e. that > the jdbc driver does not verify the self-signed server certificate? > Thereby I could use the applet on every computer. If you do this, you become vulnerable to man-in-the-middle attacks. Might as well just use an unencrypted connection in the first place. -O
> If you do this, you become vulnerable to man-in-the-middle attacks. Might as well just use an unencrypted connection > in the first place. Well, a man-in-the-middle attack is non-trivial since it typically means stealing a domain name. And with an encrypted channel, at least userid/passwords are nicely encrypted as is the data in the database. I think a simple sniffer type attack is far easier. But you are right that having the client import the cert (or using a well-known CA signed cert) is preferable. David >
On Mon, 16 Feb 2004, [iso-8859-1] Oliver Nolden wrote: > Hi everyone, > I want to realize a secure database connection with jdbc and SSL > between an applet and a postgres database 7.4. The driver > pg74jdbc3.jar supports SSL, I created the server certificates with > OpenSSL. The postgres server works fine with ssl. To establish a ssl > connection with the client, you have to import the self-signed > certificate to the client`s machine. Java's ssl implementation requires authenticating the server I believe. I think a better question to ask would be if there was any way to programmatically supply the server's certificate instead of having to import it into the cert. Unfortunately I don't know the answer to that question. Kris Jurka
Kris Jurka wrote: > Java's ssl implementation requires authenticating the server I > believe. I think a better question to ask would be if there was any > way to programmatically supply the server's certificate instead of > having to import it into the cert. Unfortunately I don't know the > answer to that question. IIRC, the place to look in modern versions of the J2SDK is javax.net.X509TrustManager. You can specify an X509TrustManager when you call SSLContext.init. You'd then need to get an SSLSocketFactory from that SSLContext and finally create a socket using that SocketFactory. Currently, org.postgresql.Driver.makeSSL obtains a default SSLSocketFactory by calling the static method SSLSocketFactory.getDefault(). What we'd ideally do here is leave that default in place, but allow a client to specify a different SSLSocketFactory somehow. All the dealing with X509TrustManager and SSLContext could be left to the application code, since the right way to do it is highly app-specific and security-sensitive. Any opinions on the best way to specify that SSLSocketFactory? Sticking with URL parameters is unworkable, since we would like to specify a specific instance obtained from the SSLContext, *not* a class name for a whole set of these things. We could add a method to Driver or to PGConnection, perhaps? -- www.designacourse.com The Easiest Way to Train Anyone... Anywhere. Chris Smith - Lead Software Developer/Technical Trainer MindIQ Corporation
--- Oliver Jowett <oliver@opencloud.com> schrieb: > Oliver Nolden wrote: Thank for your answer. You're rigth, but for me the authentication of the server is not important, I only want a secure connection between applet and database. In the meantime I solved my problem: I modified the postgres jdbc driver "pg74jdbc3", so that I can use it for SSL connection without verifyinf the server certificate, So I dont't have to import the server certificate on the client machine. Now I can use the applet on every machine. If somebody is interested in, I could send him the modified driver. OLiver > > Hi everyone, > > > > I want to realize a secure database connection > with jdbc and SSL > > between an applet and a postgres database 7.4. The > driver pg74jdbc3.jar > > supports SSL, I created the server certificates > with OpenSSL. The > > postgres server works fine with ssl. To establish > a ssl connection with > > the client, you have to import the self-signed > certificate to the > > client`s machine. > > > > Now my question: Is it possible to establish a ssl > connection without > > importing the server certificate to the client > machine? i.e. that > > the jdbc driver does not verify the self-signed > server certificate? > > Thereby I could use the applet on every computer. > > If you do this, you become vulnerable to > man-in-the-middle attacks. > Might as well just use an unencrypted connection in > the first place. > > -O Mit schönen Grüßen von Yahoo! Mail - http://mail.yahoo.de