New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add SSL factory SingleCertValidatingFactory #88

Closed
wants to merge 1 commit into
base: master
from

Conversation

Projects
None yet
2 participants
@sehrope
Contributor

sehrope commented Sep 28, 2013

Add a new SSL socket factory that allows users to specify and verify the SSL certificate of the remote server to prevent MITM attacks. The socket factory allows for easily specifying and pinning of remote server SSL certificates when creating a new connection to a database. The SSL certificate can be specified as the String value of the
certificate itself, a file path, a classpath relative path, a system property, or an environment variable.

Also included is a new test class that uses the new socket factory. The test class is disabled by default but can be enabled by setting testsinglecertfactory=true in the ssltests.properties config file.

By default the tests are configured to run against a SSL test database VM running on localhost on the ports 10084, 10090, 10091, 10092, and 10093. To test against a different set of databases edit the test parameters (JDBC URLs) at the top of the class.

The last test case pulls the SSL certificate from an enviroment var. For it to run the env var must be set prior to running the test. Otherwise the test is skipped. You can set it and run the test via:

$ DATASOURCE_SSL_CERT=$(cat certdir/goodroot.crt) ant clean test

The easiest way to test it and the JDBC SSL tests in general is to use the test VM I put together. It's available at: https://github.com/jackdb/pgjdbc-test-vm

To use it:

  1. Clone that repo

  2. Install Vagrant and Virtual Box

  3. Start up the VM (from the repo's directory):

    $ vagrant up

  4. Create a file build.local.properties in your JDBC driver root directory with the line port=10093 (or replace that with a different port for a different server version).

The VM that gets created is configured to run all the SSL tests (old and my new one) and can also be used to run the non-SSL tests.

Add SSL factory SingleCertValidatingFactory
Add a new SSL socket factory that allows users to specify and verify
the SSL certificate of the remote server to prevent MITM attacks. The
socket factory allows for easily specifying and pinning of remote
server SSL certificates when creating a new connection to a database.
The SSL certificate can be specified as the String value of the
certificate itself, a file path, a classpath relative path, a system
property, or an environment variable.

Also included is a new test class that uses the new socket factory.
The test class is disabled by default but can be enabled by setting
testsinglecertfactory=true in the ssltests.properties config file.
By default the tests are configured to run against a SSL test database
VM running on localhost on the ports 10084, 10090, 10091, 10092, and
10093. To test against a different set of databases edit the test
parameters (JDBC URLs) at the top of the class.

The last test case pulls the SSL certificate from an enviroment var.
For it to run the env var must be set prior to running the test.
Otherwise the test is skipped. You can set it and run the test via:

    $ DATASOURCE_SSL_CERT=$(cat certdir/goodroot.crt) ant clean test
@davecramer

This comment has been minimized.

Member

davecramer commented Apr 25, 2014

I reworked this PR and created another one that does apply #148

Can you confirm that it should be applied ?

@sehrope

This comment has been minimized.

Contributor

sehrope commented Apr 25, 2014

Yes I'd still like it merged in. It should be fine as it's an entirely new class but I'd still like to test it out and make sure the tests run. I'll test out your new patch and let you know how it goes.

@sehrope

This comment has been minimized.

Contributor

sehrope commented Apr 25, 2014

Okay I was able to successfully run all the new SSL tests.

I found two System.getProperty() calls in the new SSL tests that should instead be System.getenv() and fixed those.

New version is here: https://github.com/sehrope/pgjdbc/tree/single-cert-ssl

Let me know if you want me to make a new PR or if you'll just pull it in manually.

@davecramer

This comment has been minimized.

Member

davecramer commented Apr 25, 2014

Thanks, I fixed them manually and pushed it into master

Dave Cramer

On 25 April 2014 14:37, Sehrope Sarkuni notifications@github.com wrote:

Okay I was able to successfully run all the new SSL tests.

I found two System.getProperty() calls in the new SSL tests that should
instead be System.getenv() and fixed those.

New version is here:
https://github.com/sehrope/pgjdbc/tree/single-cert-ssl

Let me know if you want me to make a new PR or if you'll just pull it in
manually.


Reply to this email directly or view it on GitHubhttps://github.com//pull/88#issuecomment-41425541
.

@sehrope

This comment has been minimized.

Contributor

sehrope commented Apr 25, 2014

Great.

FYI, I'm looking into automating the rest of the driver testing as well. I already have a half decent setup locally using a VM1 which is what I used to test this patch. I'd like to have the same setup for Travis-CI as well. When I have a bit of time I'll look into getting it setup.

@davecramer

This comment has been minimized.

Member

davecramer commented Apr 25, 2014

That would be great.

For some reason travis-ci doesn't see failures. Probably because the
failure happens early and ant doesn't return a non-zero number for a failure

Dave Cramer

On 25 April 2014 14:51, Sehrope Sarkuni notifications@github.com wrote:

Great.

FYI, I'm looking into automating the rest of the driver testing as well. I
already have a half decent setup locally using a VM1https://github.com/jackdb/pgjdbc-test-vmwhich is what I used to test this patch. I'd like to have the same setup
for Travis-CI as well. When I have a bit of time I'll look into getting it
setup.


Reply to this email directly or view it on GitHubhttps://github.com//pull/88#issuecomment-41426960
.

@davecramer

This comment has been minimized.

Member

davecramer commented Apr 25, 2014

committed in #148

@davecramer davecramer closed this Apr 25, 2014

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment