2

We are making connections to the postgres server through jdbc and psql (libpq) . I have set the ssl as on the postgres server . It can take ssl as well as non ssl connections. I made a connection through a psql client to postgres server and could confirm that the default sslmode (when no sslmode parameter is supplied while making connection) is "prefer". Please note i have not supplied the sslmode parameter in the connection string from psql. Still connection is secured

psql "postgresql://$POSTGRES_HOST:$PG_PORT/postgres" -U postgres
psql (9.6.18, server 9.6.12)
SSL connection (protocol: TLSv1.2, cipher: ECDHE-RSA-AES256-GCM-SHA384, bits: 256, compression: off)
Type "help" for help

. This means that prefer is default sslmode for psql. I have read in the AWS documentation for jdbc connections to server the default mode is "verify-full". I created a jdbc connection to the postgres server by supplying no sslmode to the connection string .passing "verify-ca" and "verify-full" fails to connect to postgres server with no certficate found exception. The connection was successful . I just want to confirm what is the default sslmode for jdbc connections to the postgres server when ssl is turned on the server. I think it should require or below.

Improve this question
5
  • Why would AWS be documenting JDBC, unless it is an AWS specific implementation? Could you provide a link to that? Commented Aug 13, 2020 at 3:43
  • I am looking at adding SSL to Aurora Postgres Service in AWS. This is the documentation link docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/… Commented Aug 13, 2020 at 16:47
  • Please look at the section "To connect to an Aurora PostgreSQL DB cluster over SSL". The exact section is as follows : The default sslmode mode used is different between libpq-based clients (such as psql) and JDBC. The libpq-based clients default to prefer, where JDBC clients default to verify-full. Commented Aug 13, 2020 at 16:48
  • The AWS documentation glosses over the real behavior. The default of behaving as if sslmode were set to verify-full applies only if you specify ssl=true. If you don't set ssl=true and also don't set sslmode, then JDBC behaves as if sslmode=prefer, same as libpq does. Commented Aug 14, 2020 at 20:57
  • thanks , i realised that configuring the client for ssl means setting the ssl parameter as true. But is there specific documentation in postgresql site on this . Also how do we test to find out that the sslmode is prefer when both these parametes are not set Commented Aug 16, 2020 at 5:34

1 Answer 1

Reset to default
5

The default value of the sslmode connection parameter depends on the setting of the connection parameter ssl:

  • if ssl is set to true or set without a value, then sslmode defaults to verify-full

  • if ssl is not set, sslmode defaults to prefer, much like libpq

I'd like to quote the documentation on that, but onfortunately that becomes only clear when you read the source. See pgjdbc/src/main/java/org/postgresql/jdbc/SslMode.java:

public enum SslMode {

[...]

  public static SslMode of(Properties info) throws PSQLException {
    String sslmode = PGProperty.SSL_MODE.getOrDefault(info);
    // If sslmode is not set, fallback to ssl parameter
    if (sslmode == null) {
      if (PGProperty.SSL.getBoolean(info) || "".equals(PGProperty.SSL.getOrDefault(info))) {
        return VERIFY_FULL;
      }
      return PREFER;
    }

    for (SslMode sslMode : VALUES) {
      if (sslMode.value.equalsIgnoreCase(sslmode)) {
        return sslMode;
      }
    }
    throw new PSQLException(GT.tr("Invalid sslmode value: {0}", sslmode),
        PSQLState.CONNECTION_UNABLE_TO_CONNECT);
  }
}
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

I found the documentation is really not helpful in stating "verify-full" here: jdbc.postgresql.org/documentation/ssl , but "prefer" here: jdbc.postgresql.org/documentation/use/#connection-parameters . With your answer it makes sense now.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.