46

How can one know if the JDBC connection to an SQL server is secure (i.e. uses SSL) or not?

Is it obvious for example from the URL. Do all JDBC drivers support SSL connections to the database server, or does the use of SSL just depends on the specific database vendor?

Paŭlo Ebermann
  • 73,284
  • 20
  • 146
  • 210
Cratylus
  • 52,998
  • 69
  • 209
  • 339

2 Answers2

28

Do all jdbc drivers support ssl connection to db server and the use of ssl just depends on a specific db vendor?

Support for SSL/TLS is not mandated in the JDBC specification. So you cannot expect it in every driver.

SSL configuration on the database server could be inferred from the JDBC URL, but this need not be deterministic. In the case of Oracle, if you notice that the URL contains a connection string that indicates that the protocol in use is TCPS instead of TCP, which points to the use of SSL/TLS. If you are doing this to validate a security configuration, I would call you sloppy.

It is unwise to verify the client configuration alone to determine if the database server accepts connections over SSL, especially if non-SSL connections are disallowed. The mechanisms for verifying the SSL/TLS configuration will vary from database to database, but there would be appropriate security guides for configuring the database in each case.

If you want to do a quick test however, to verify if connectivity is over SSl/TLS, then all you have to know is that SSL/TLS secured connections are initiated with a handshake. If you do not see any, then your driver is not using SSL/TLS. You'll need to sniff network traffic for this (make sure that you have authorization to do so). Of course, it would take longer to establish the case if a connection pool were in use, for the physical connections in the pool might be reused time and again (without new connections being setup). Likewise, you might also find nmap to be useful, but I've never used it for this purpose.

Vineet Reynolds
  • 76,006
  • 17
  • 150
  • 174
  • @Vineet:What you say is confusing for me.If I expect to see an SSL handshake (to verify security) this means, I guess, that at least the server has a certificate, which is also considered as trusted by the client application.And to be considered as trusted, the application must have been configured to trust it (I guess by me).So if I have a connection with an SQL server and I did no such (certificate) configuration, can't I infer that the connection is not over SSL? – Cratylus May 31 '11 at 21:19
  • @user384706, are you referring to MSSQL server in specific? Or any RDBMS in general? If you are using JDBC and if you have to configure trust, it would usually involve JSSE configuration. In simpler words, you would have to worry about configuring your truststore. If the root CA certificate is already trusted, there is very little to do, on the client, beyond configuring the connection pool and possibly adding libraries required by the driver. If you are using an application server, the administrator might have done this already for you. Contd. – Vineet Reynolds May 31 '11 at 21:25
  • For instance, refer [this WLS related](http://www.oracle.com/technetwork/middleware/weblogic/index-087556.html#Setup_WebLogic_to_use_JDBCTHIN_with_SSL) article on how SSL is enabled for the thin Oracle driver. You'll notice that the configuration at WLS is almost trivial. – Vineet Reynolds May 31 '11 at 21:26
  • @Vineet:Yes my interest is mainly in MS-SQL server – Cratylus May 31 '11 at 21:28
  • @user384706, you could refer [this article in MSDN](http://msdn.microsoft.com/en-us/library/bb879949%28v=sql.90%29.aspx) for using SSL against MSSQL 2005, and [this one for MSSQL 2008](http://msdn.microsoft.com/en-us/library/bb879949%28v=SQL.100%29.aspx). The `encrypt=true` flag in the URL drives the configuration of whether SSL/TLS will be employed. – Vineet Reynolds May 31 '11 at 21:32
  • 1
    @Vineet, as far as I know, some JDBC connections, including Oracle with TCPS, are upgraded to TLS after some plain text JDBC exchange has taken place (in a way similar to `STARTTLS` in SMTP). In this case, the connection itself won't start with a handshake, so you'd have to look at more traffic before seeing it. It's not always obvious. – Bruno Jun 01 '11 at 12:06
  • @Bruno, that would be right. That's why it is recommended as a quick test, relying more on intuition than on specifics. – Vineet Reynolds Jun 01 '11 at 12:13
  • I'm not sure about MSSQL, but some of Oracle's JDBC default values are [not particularly secure](http://stackoverflow.com/questions/3601982/can-i-configure-ssl-with-an-remote-database-server/3613743#3613743). In particular, `oracle.net.ssl_server_dn_match` is `false` by default. – Bruno Jun 01 '11 at 12:15
5

In my opinion, a fast, secure and vendor neutral way of ensuring an SSL connection between your client and your server is to use s-tunnel.

s-tunnel (sometimes also called "stunnel") gives you lots of flexibility, such as mutual authentication etc, and still allows applications installed on the DB Server to communicate with it via a non-SSL connection (SQL Server for example allows connections in three modes (SSL OFF, SSL Optional, or SSL Only).

Using s-tunnel your connection would be routed something like this:

jdbc -> local s-tunnel port -> server's s-tunnel port -> server's database port.

By setting stunnel with the relevant firewall rules you can have confidence that remote connections to the DB are using SSL.

ifx
  • 561
  • 2
  • 13
  • When you say mutual authentication,this means that both sql server and the application have certificates? – Cratylus May 31 '11 at 21:14
  • Correct. Its the only way I managed to get a connection to SQL Server with both the host ensuring that it is speaking to a trusted client, and the client ensuring that it is indeed speaking to the correct server, though s-tunnel doesn't force you to have two certificates. – ifx Jun 03 '11 at 18:02
  • PS. I was using SQL Server 2005 and didn't want to impact the performance of my server side application. – ifx Jun 03 '11 at 18:36