Package org.postgresql.ssl
Class SingleCertValidatingFactory
- java.lang.Object
-
- javax.net.SocketFactory
-
- javax.net.ssl.SSLSocketFactory
-
- org.postgresql.ssl.WrappedFactory
-
- org.postgresql.ssl.SingleCertValidatingFactory
-
public class SingleCertValidatingFactory extends WrappedFactory
Provides a SSLSocketFactory that authenticates the remote server against an explicit pre-shared SSL certificate. This is more secure than using the NonValidatingFactory as it prevents "man in the middle" attacks. It is also more secure than relying on a central CA signing your server's certificate as it pins the server's certificate.
This class requires a single String parameter specified by setting the connection property
sslfactoryarg
. The value of this property is the PEM-encoded remote server's SSL certificate.Where the certificate is loaded from is based upon the prefix of the
sslfactoryarg
property. The following table lists the valid set of prefixes.Valid prefixes for sslfactoryarg Prefix Example Explanation classpath:
classpath:ssl/server.crt
Loaded from the classpath. file:
file:/foo/bar/server.crt
Loaded from the filesystem. env:
env:mydb_cert
Loaded from string value of the mydb_cert
environment variable.sys:
sys:mydb_cert
Loaded from string value of the mydb_cert
system property.-----BEGIN CERTIFICATE------
-----BEGIN CERTIFICATE----- MIIDQzCCAqygAwIBAgIJAOd1tlfiGoEoMA0GCSqGSIb3DQEBBQUAMHUxCzAJBgNV [... truncated ...] UCmmYqgiVkAGWRETVo+byOSDZ4swb10= -----END CERTIFICATE-----
Loaded from string value of the argument.
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description static class
SingleCertValidatingFactory.SingleCertTrustManager
-
Field Summary
-
Fields inherited from class org.postgresql.ssl.WrappedFactory
factory
-
-
Constructor Summary
Constructors Constructor Description SingleCertValidatingFactory(java.lang.String sslFactoryArg)
-
Method Summary
-
Methods inherited from class org.postgresql.ssl.WrappedFactory
createSocket, createSocket, createSocket, createSocket, createSocket, getDefaultCipherSuites, getSupportedCipherSuites
-
-