default for sslmode argument while connection to postgres server through JDBC?

1
votes

We are making connections to the postgres server through jdbc and psql (libpq) . I have set the ssl as on the postgres server . It can take ssl as well as non ssl connections. I made a connection through a psql client to postgres server and could confirm that the default sslmode (when no sslmode parameter is supplied while making connection) is "prefer". Please note i have not supplied the sslmode parameter in the connection string from psql. Still connection is secured

psql "postgresql://$POSTGRES_HOST:$PG_PORT/postgres" -U postgres
psql (9.6.18, server 9.6.12)
SSL connection (protocol: TLSv1.2, cipher: ECDHE-RSA-AES256-GCM-SHA384, bits: 256, compression: off)
Type "help" for help

. This means that prefer is default sslmode for psql. I have read in the AWS documentation for jdbc connections to server the default mode is "verify-full". I created a jdbc connection to the postgres server by supplying no sslmode to the connection string .passing "verify-ca" and "verify-full" fails to connect to postgres server with no certficate found exception. The connection was successful . I just want to confirm what is the default sslmode for jdbc connections to the postgres server when ssl is turned on the server. I think it should require or below.

1
postgresqlssljdbcrequire
Why would AWS be documenting JDBC, unless it is an AWS specific implementation? Could you provide a link to that?jjanes
I am looking at adding SSL to Aurora Postgres Service in AWS. This is the documentation link docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/…user2254608
Please look at the section "To connect to an Aurora PostgreSQL DB cluster over SSL". The exact section is as follows : The default sslmode mode used is different between libpq-based clients (such as psql) and JDBC. The libpq-based clients default to prefer, where JDBC clients default to verify-full.user2254608
The AWS documentation glosses over the real behavior. The default of behaving as if sslmode were set to verify-full applies only if you specify ssl=true. If you don't set ssl=true and also don't set sslmode, then JDBC behaves as if sslmode=prefer, same as libpq does.jjanes
thanks , i realised that configuring the client for ssl means setting the ssl parameter as true. But is there specific documentation in postgresql site on this . Also how do we test to find out that the sslmode is prefer when both these parametes are not setuser2254608

1 Answers

1
votes

The default for the JDBC driver is to use an sslmode of verify-full.

The documentation says:

There are a number of connection parameters for configuring the client for SSL. See SSL Connection parameters

The simplest being ssl=true, passing this into the driver will cause the driver to validate both the SSL certificate and verify the hostname (same as verify-full). Note this is different than libpq which defaults to a non-validating SSL connection.