Menu

#134 Custom SSL Socket Factory

v1.3
open
nobody
None
1
2015-02-13
2015-02-13
No

This patch extends jTDS to allow a custom SSLSocketFactory implementation to be used instead of the standard ones built into the driver. This allows the library user to customise a fair amount of the SSL connection with the database, in particular:

  • Limit the SSL protocol versions that are used (currently it always uses the JRE defaults - this allows it to be locked down to, for example, TLSv1.2 only)
  • Limit the SSL cipher suites that are used (currently it always uses the JRE defaults - this allows some of default ciphers such as RC4 to be disabled)
  • Customisation how the server authentication is performed (currently it either performs no authentication, or the database must have a certificate issued by a CA trusted by the JRE - this allows server authentication to be performed even if the database presents a self-signed certificate)

Two new configuration properties have been added to support this:

  • sslsocketfactoryclassname: This is set to the full classname of the custom SSLSocketFactory implementation to use. It must be accessible to the library, and contain either a public default constructor, or a public constructor that takes a single string parameter (if the parameter is provided).
  • sslsocketfactoryparameter: This is an optional string parameter provided to the custom SSLSocketFactory constructor.

This still requires that the existing 'ssl' configuration property is set to either 'request', 'require', or 'authenticate': request still only enables SSL if supported by the database; require and authenticate are treated identically if a custom SSL socket factory is in use as it now has responsibility for server authentication. If the custom SSL socket factory is not in use then the 'ssl' configuration property continues to operate in exactly the same way as before.

I have refactored how the socket factory is created a little, so that it is done earlier in the process, so that errors with the custom socket factory configuration (e.g. invalid class name, inaccessible class, etc.) are now reported earlier and indicate what the problem is.

The patch is attached and can also be found at https://gist.github.com/davidbryant/446dcb82fa10bc0400f6.

Note that this patch does not resolve the hang when establishing an SSL connection with the JRE BEAST mitigation enabled as reported in bug#690.

1 Attachments

Discussion

Anonymous
Anonymous

Add attachments
Cancel