3

I am using Spring3, Hibernate4 and postgres9.2.

For enabling the SSL database connection, I followed following steps :

  1. Creating self signed Certificate : refer : http://www.postgresql.org/docs/9.2/static/ssl-tcp.html#SSL-CERTIFICATE-CREATION
  2. Copied the generated server.crt and server.key into postgres/9.2/data folder.
  3. URL for hibernate connection : jdbc:postgresql://localhost:5432/DB_NAME?ssl=true&sslfactory=org.postgresql.ssl.NonValidatingFactory

After restarting the postgres I run my application and it gives error as : 

org.postgresql.util.PSQLException: The server does not support SSL.
    at org.postgresql.core.v3.ConnectionFactoryImpl.enableSSL(ConnectionFactoryImpl.java:307)
    at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:105)
    at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:65)
    at org.postgresql.jdbc2.AbstractJdbc2Connection.<init>(AbstractJdbc2Connection.java:140)
    at org.postgresql.jdbc3.AbstractJdbc3Connection.<init>(AbstractJdbc3Connection.java:29)
    at org.postgresql.jdbc3g.AbstractJdbc3gConnection.<init>(AbstractJdbc3gConnection.java:21)
    at org.postgresql.jdbc4.AbstractJdbc4Connection.<init>(AbstractJdbc4Connection.java:31)
    at org.postgresql.jdbc4.Jdbc4Connection.<init>(Jdbc4Connection.java:23)
    at org.postgresql.Driver.makeConnection(Driver.java:393)
    at org.postgresql.Driver.connect(Driver.java:267)

Even I tried to add this line at the end of pg_hba.conf file but postgres does not get restarted :

hostssl     all     all         127.0.0.1/32        trust

EDIT

It is for other folks who received such error or wants to add database ssl connection :

I added ssl = true and removed comments for ssl related entries from postgresql.conf and it worked. :)

Naresh J
  • 2,087
  • 5
  • 26
  • 39
  • Where'd you get your PostgreSQL from? Self-compiled? Make sure that it's really using ssl, check with wireshark or tcpdump and make sure the network traffic isn't in the clear. From your update, are you saying that you had the SSL directives in `postgresql.conf` commented out? – Craig Ringer Jun 08 '13 at 02:11
  • @CraigRinger Thna you for your suggestion. For cross-checking, I added ssl=false and added comments to ssl related fields from `postgresql.conf` file then it gives error like `Server does not support SSL`. So did I successfully configured SSL ? – Naresh J Jun 08 '13 at 05:30
  • If you read the documentation, you'll see that the mere presence of any value for `ssl` is sufficient to turn it on. So `ssl=false` and `ssl=true` are (rather counter-intuitively) the same thing. What I was asking was what you meant by "added/removed comments for ssl related entries". Do you mean you *commented them out*, and that you originally *forgot to uncomment them*? – Craig Ringer Jun 08 '13 at 05:32
  • 1
    yes. exactly what i mean.. following are the lines which was commented before. and then I uncomment it : `ssl_ciphers = 'ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH' ssl_renegotiation_limit = 512MB ssl_cert_file = 'server.crt' ssl_key_file = 'server.key' ssl_ca_file = '' ssl_crl_file = '' password_encryption = on ` – Naresh J Jun 08 '13 at 05:36

4 Answers4

4

The root of your problem appears to be that your server does not support SSL or does not have it enabled. The message:

The server does not support SSL

may only be emitted by org/postgresql/core/v3/ConnectionFactoryImpl.java in enableSSL(...) when the server refuses or doesn't understand SSL requests.

Sure enough, in your update you say that you had the SSL-related options in postgresql.conf commented out. Them being commented out is the same as them being not there at all to the server; it will ignore them. This will cause the server to say it doesn't support SSL and refuse SSL connections because it doesn't know what server certificate to send. PgJDBC will report the error above when this happens.

When you un-commented the SSL options in postgresql.conf and re-started the server it started working.

You were probably confused by the fact that:

&ssl
&ssl=true
&ssl=false

all do the same thing: they enable SSL. Yes, that's kind of crazy. It's like that for historical reasons that we're stuck with, but it's clearly documented in the JDBC driver parameter reference:

ssl

Connect using SSL. The driver must have been compiled with SSL support. This property does not need a value associated with it. The mere presence of it specifies a SSL connection. However, for compatibility with future versions, the value "true" is preferred. For more information see Chapter 4, Using SSL.

As you can see, you should still write ssl=true since this may change in future.

Reading the server configuration and client configuration sections of the manual will help you with setting up the certificates and installing the certificate in your local certificate list so you don't have to disable certificate trust checking.

For anyone else with this problem: There will be more details in your PostgreSQL error logs, but my guess is your PostgreSQL config isn't right or you're using a hand-compiled PostgreSQL and you didn't compile it with SSL support.

Craig Ringer
  • 307,061
  • 76
  • 688
  • 778
1

If you are using a self-signed certificate you need to add it to your trusted key store of your Java installation on the client side.

You find the detailed instructions to achieve this here: telling java to accept self-signed ssl certificate

Community
  • 1
  • 1
Torsten
  • 6,184
  • 1
  • 34
  • 31
  • Thank you Torsten for your response. But I solved this problem and added it at in my question. – Naresh J Jun 07 '13 at 10:53
  • Good to hear. The sslfactory=org.postgresql.ssl.NonValidatingFactory part is what is saving you from checking the certificate trust chain. – Torsten Jun 07 '13 at 11:06
1

In your connection string, try

?sslmode=require

instead of 

?ssl=true
UserBSS1
  • 2,091
  • 1
  • 28
  • 31
1

Use param sslmode=disable. Work for me. Postgresql 9.5 with jdbc driver SlickPostgresDriver.

I99Mhz
  • 11
  • 1