Package org.postgresql.ssl

Class SingleCertValidatingFactory

java.lang.Object
javax.net.SocketFactory
javax.net.ssl.SSLSocketFactory
org.postgresql.ssl.WrappedFactory
org.postgresql.ssl.SingleCertValidatingFactory
public class SingleCertValidatingFactory extends WrappedFactory

Provides a SSLSocketFactory that authenticates the remote server against an explicit pre-shared SSL certificate. This is more secure than using the NonValidatingFactory as it prevents "man in the middle" attacks. It is also more secure than relying on a central CA signing your server's certificate as it pins the server's certificate.

This class requires a single String parameter specified by setting the connection property sslfactoryarg. The value of this property is the PEM-encoded remote server's SSL certificate.

Where the certificate is loaded from is based upon the prefix of the sslfactoryarg property. The following table lists the valid set of prefixes.

Valid prefixes for sslfactoryarg
Prefix Example Explanation
classpath: classpath:ssl/server.crt Loaded from the classpath.
file: file:/foo/bar/server.crt Loaded from the filesystem.
env: env:mydb_cert Loaded from string value of the mydb_cert environment variable.
sys: sys:mydb_cert Loaded from string value of the mydb_cert system property. 
-----BEGIN CERTIFICATE------
 
 -----BEGIN CERTIFICATE-----
 MIIDQzCCAqygAwIBAgIJAOd1tlfiGoEoMA0GCSqGSIb3DQEBBQUAMHUxCzAJBgNV
 [... truncated ...]
 UCmmYqgiVkAGWRETVo+byOSDZ4swb10=
 -----END CERTIFICATE-----
Loaded from string value of the argument.