I am using Spring3, Hibernate4 and postgres9.2.
For enabling the SSL database connection, I followed following steps :
Creating self signed Certificate : refer : http://www.postgresql.org/docs/9.2/static/ssl-tcp.html#SSL-CERTIFICATE-CREATION
Copied the generated server.crt and server.key into postgres/9.2/data folder.
URL for hibernate connection : jdbc:postgresql://localhost:5432/DB_NAME?ssl=true&sslfactory=org.postgresql.ssl.NonValidatingFactory
After restarting the postgres I run my application and it gives error as :
org.postgresql.util.PSQLException: The server does not support SSL.
at org.postgresql.core.v3.ConnectionFactoryImpl.enableSSL(ConnectionFactoryImpl.java:307)
at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:105)
at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:65)
at org.postgresql.jdbc2.AbstractJdbc2Connection.<init>(AbstractJdbc2Connection.java:140)
at org.postgresql.jdbc3.AbstractJdbc3Connection.<init>(AbstractJdbc3Connection.java:29)
at org.postgresql.jdbc3g.AbstractJdbc3gConnection.<init>(AbstractJdbc3gConnection.java:21)
at org.postgresql.jdbc4.AbstractJdbc4Connection.<init>(AbstractJdbc4Connection.java:31)
at org.postgresql.jdbc4.Jdbc4Connection.<init>(Jdbc4Connection.java:23)
at org.postgresql.Driver.makeConnection(Driver.java:393)
at org.postgresql.Driver.connect(Driver.java:267)
Even I tried to add this line at the end of pg_hba.conf file but postgres does not get restarted :
hostssl all all 127.0.0.1/32 trust
EDIT
It is for other folks who received such error or wants to add database ssl connection :
I added ssl = true and removed comments for ssl related entries from postgresql.conf and it worked. :)
The root of your problem appears to be that your server does not support SSL or does not have it enabled. The message:
The server does not support SSL
may only be emitted by org/postgresql/core/v3/ConnectionFactoryImpl.java in enableSSL(...) when the server refuses or doesn't understand SSL requests.
Sure enough, in your update you say that you had the SSL-related options in postgresql.conf commented out. Them being commented out is the same as them being not there at all to the server; it will ignore them. This will cause the server to say it doesn't support SSL and refuse SSL connections because it doesn't know what server certificate to send. PgJDBC will report the error above when this happens.
When you un-commented the SSL options in postgresql.conf and re-started the server it started working.
You were probably confused by the fact that:
&ssl
&ssl=true
&ssl=false
all do the same thing: they enable SSL. Yes, that's kind of crazy. It's like that for historical reasons that we're stuck with, but it's clearly documented in the JDBC driver parameter reference:
ssl
Connect using SSL. The driver must have been compiled with SSL
support. This property does not need a value associated with it. The
mere presence of it specifies a SSL connection. However, for
compatibility with future versions, the value "true" is preferred. For
more information see Chapter 4, Using SSL.
As you can see, you should still write ssl=true since this may change in future.
Reading the server configuration and client configuration sections of the manual will help you with setting up the certificates and installing the certificate in your local certificate list so you don't have to disable certificate trust checking.
For anyone else with this problem: There will be more details in your PostgreSQL error logs, but my guess is your PostgreSQL config isn't right or you're using a hand-compiled PostgreSQL and you didn't compile it with SSL support.
If you are using a self-signed certificate you need to add it to your trusted key store of your Java installation on the client side.
You find the detailed instructions to achieve this here: telling java to accept self-signed ssl certificate
In your connection string, try
?sslmode=require
instead of
?ssl=true
Use param sslmode=disable. Work for me. Postgresql 9.5 with jdbc driver SlickPostgresDriver.
Related
I'm trying to run liquibase update command using
liquibase --driver="com.ibm.db2.jcc.DB2Driver" --changeLogFile="masterchangelog.xml " --url="jdbc:db2://localhost:60001/SMDINTDB:retrieveMessageFromServerOnGetMessage=true;sslConnection=true;" --username="" --password="" --classpath=/home/db2inst1/sqllib/java/db2jcc4.jar validate
But I'm getting following error. Can anyone help me how to resolve this issue? How I can specify the location of certs ?
Unexpected error running Liquibase: com.ibm.db2.jcc.am.DisconnectNonTransientConnectionException: [jcc][t4][2030][11211][4.26.14] A communication error occurred during operations on the connection's underlying socket, socket input stream,
or socket output stream. Error location: Reply.fill() - socketInputStream.read (-1). Message: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. ERRORCODE=-4499, SQLSTATE=08001
Several pre-requisites exist for on-premises Db2-LUW SSL connectivity with jdbc.
liquibase works correctly with SSL connections to on-premises Db2-LUW, if all the prerequisite configuration completed successfully. Here are some tips.
the target Db2-LUW instance has to be already configured for SSL as per IBM Db2 documentation here. If you are using a cloud based Db2 service from IBM then this is already done for you, although you may need to use the IBM supplied root cert on the client side.
your client side JRE needs to be configured per IBM's Db2-LUW documentation here. I use the IBM JRE (as supplied with the Db2-LUW server) for liquibase.
for on-premises Db2-LUW your client side needs the java keystore created, and the server's certificate imported into it (keytool -importcert -file /your/path/to/server_certificate ... ).
for your specific error, for on-premises Db2-LUW you might try additional options in the connection string to tell the JRE how to access the client side keystore into which you already imported the server certificate. Specifically sslTrustStoreLocation=/path/to/.keystore;sslTrustStorePassword=whatever; . Note that I did not need these options if using Db2-on-cloud (liquibase worked correctly with SSL to Db2-on-cloud once I added DigiCertGlobalRootCA.crt to my keystore (although even that may be unnecessary) , but I did not try Db2-warehouse-on-cloud as I don't use that service.
I'm trying to install a self-host WCF service on a server with Windows Server 2012.
I was following these steps:
import my pfx file with mmc
run "netsh http add sslcert ipport=0.0.0.0:49000 certhash=e09280ded2322eb858b38b3250e1a488f797b269 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}"
install my service and start it
At first it works well. But after a few hours the ssl crashes and I can only get error msg at client as below
An unhandled exception of type 'System.ServiceModel.CommunicationException' occurred in mscorlib.dll.
Additional information: An error occurred while making the HTTP request to https://servername:49000/WCFServiceName. This could be due to the fact that the server certificate is not configured properly with HTTP.SYS in the HTTPS case. This could also be caused by a mismatch of the security binding between the client and the server.
run "netsh http delete sslcert ipport=0.0.0.0:49000"
and delete the imported pfx and then redo step1 and 2 can make ssl works again, but the problem will still appears in a few hours.
It's definitely not the SecurityProtocol problem, for I have already tried adding
System.Net.ServicePointManager.SecurityProtocol = System.Net.SecurityProtocolType.Tls12;
before request. And both server and client uses .Net Framework 4.5.2
I've tried "netsh http show sslcert", and got below result:
IP:port : 0.0.0.0:49000
Certificate Hash : e09280ded2322eb858b38b3250e1a488f797b269
Application ID : {4dc3e181-e14b-4a21-b022-59fc669b0914}
Certificate Store Name : My
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : (null)
DS Mapper Usage : Disabled
Negotiate Client Certificate : Disabled
I've tried delete the sslcert binding on port 49000 and created an empty website binding to port 49000 in IIS and make my service listening to that port then. It works the first time and lasted for about a week before the same error pops out.
Where should I begin to locate and solve this wired problem?
First, we should ensure that the certificate private key could be accessed by WCF. The Network Service account (or Everyone account) should be added in the certificate READ/Writer group, then we run the application (windows service, or console?) with corresponding account.
https://learn.microsoft.com/en-us/dotnet/framework/wcf/feature-details/how-to-make-x-509-certificates-accessible-to-wcf
Second, as you know, TLS version need OS and Dotnetframework support, the default protocol version is ssl3.0/tls1.0(auto-negotiate, could not be configured). We had better use the latest OS version and .netframework4.7. I think this may be the cause of unstable communications.
Please refer to the below document.
https://learn.microsoft.com/en-us/dotnet/framework/network-programming/tls
Feel free to let me know if the problem still exists.
I've applied my PKCS12 certificate to my gateway.
My certificate is a wildcard certificate and i'm trying to apply it
to the gateway so I don't have do this for all my micro-services.
These are the settings in my properties file for development:
server.port:8443
server.ssl.enabled=true
server.ssl.key-store=integration.domain.net.p12
server.ssl.key-store-password=*********
server.ssl.key-store-type=PKCS12
server.ssl.key-alias=integration.domain.net
The dev server starts up and SSL is enabled. When I open the connection to https://localhost:8080/ I am redirected to :8443 as I expect. However, the browser is indicating the connection is 'Not Secure'.
I can see that my certificate is being used so I'm a bit confused as to why this is not working. I'd like to know how to resolve this so that our clients see that our gateway is properly secured.
Does anybody have any ideas or suggestions?
thanks,
Nevermind. I figured this out. My certificate is obviously looking for a valid domain or subdomain that corresponds to the information contained therein. So of course, localhost is not there. I just added a dev-integration.domain.net to my /etc/hosts file for development and everything is just fine.
Sorry if I wasted anyone's time.
I'm currently working on a project that requires connecting to oracle eventhub which is a Oracle's version of kafka. The systems contacting the restproxy wouldnt accept the self signed certificate hence i'm trying to do either :
1- turn off https and allow for http connections to kafka
2- import a signed certificate i generated
unfortunately i cant locate the certificate store neither do i know how to or even if it is possible to have the rest proxy run on http
The solution was more simple than i thought, obviously Oracle Eventhub rest-proxy uses nginx for service exposure, few modifications to the configuration file and i was able to both remove https and allow for a certificate that i had issued
Attempting to implement client authentication with an SSL cert, according to this HOWTO,
I receive the following errors.
Apache:
Re-negotiation handshake failed: Not accepted by client!?
Firefox:
ssl_error_handshake_failure_alert
I assume it is a configuration error, but have not been able to locate it.
Additional info:
Commercial CA server cert servers secure works without problem in Apache 2.2 & Passenger.
Only client authentication related directives do not work.
Is your certificate signed by verizon or someone like that? If not, you might want to add an exception in firefox. By default it stops you.
pd. doesn't sound like a passenger question
When you require client certificate authorization, you have to point Apache to file containing the root CA (and intermediates also) certificates which issued the client certificate
Also post your client authentication config part.