Search code examples
postgresqlssljdbcrequire

default for sslmode argument while connection to postgres server through JDBC?

We are making connections to the postgres server through jdbc and psql (libpq) . I have set the ssl as on the postgres server . It can take ssl as well as non ssl connections. I made a connection through a psql client to postgres server and could confirm that the default sslmode (when no sslmode parameter is supplied while making connection) is "prefer". Please note i have not supplied the sslmode parameter in the connection string from psql. Still connection is secured

psql "postgresql://$POSTGRES_HOST:$PG_PORT/postgres" -U postgres
psql (9.6.18, server 9.6.12)
SSL connection (protocol: TLSv1.2, cipher: ECDHE-RSA-AES256-GCM-SHA384, bits: 256, compression: off)
Type "help" for help

. This means that prefer is default sslmode for psql. I have read in the AWS documentation for jdbc connections to server the default mode is "verify-full". I created a jdbc connection to the postgres server by supplying no sslmode to the connection string .passing "verify-ca" and "verify-full" fails to connect to postgres server with no certficate found exception. The connection was successful . I just want to confirm what is the default sslmode for jdbc connections to the postgres server when ssl is turned on the server. I think it should require or below.

Solution

  • The default value of the sslmode connection parameter depends on the setting of the connection parameter ssl:

    • if ssl is set to true or set without a value, then sslmode defaults to verify-full

    • if ssl is not set, sslmode defaults to prefer, much like libpq

    I'd like to quote the documentation on that, but onfortunately that becomes only clear when you read the source. See pgjdbc/src/main/java/org/postgresql/jdbc/SslMode.java:

    public enum SslMode {

[...]

  public static SslMode of(Properties info) throws PSQLException {
    String sslmode = PGProperty.SSL_MODE.getOrDefault(info);
    // If sslmode is not set, fallback to ssl parameter
    if (sslmode == null) {
      if (PGProperty.SSL.getBoolean(info) || "".equals(PGProperty.SSL.getOrDefault(info))) {
        return VERIFY_FULL;
      }
      return PREFER;
    }

    for (SslMode sslMode : VALUES) {
      if (sslMode.value.equalsIgnoreCase(sslmode)) {
        return sslMode;
      }
    }
    throw new PSQLException(GT.tr("Invalid sslmode value: {0}", sslmode),
        PSQLState.CONNECTION_UNABLE_TO_CONNECT);
  }
}