Does my JDBC connection to the database use SSL or

2020-02-20 06:50发布

How can one know if the JDBC connection to an SQL server is secure (i.e. uses SSL) or not?

Is it obvious for example from the URL. Do all JDBC drivers support SSL connections to the database server, or does the use of SSL just depends on the specific database vendor?

3条回答
我想做一个坏孩纸
3楼-- · 2020-02-20 07:27

In my opinion, a fast, secure and vendor neutral way of ensuring an SSL connection between your client and your server is to use s-tunnel.

s-tunnel (sometimes also called "stunnel") gives you lots of flexibility, such as mutual authentication etc, and still allows applications installed on the DB Server to communicate with it via a non-SSL connection (SQL Server for example allows connections in three modes (SSL OFF, SSL Optional, or SSL Only).

Using s-tunnel your connection would be routed something like this:

jdbc -> local s-tunnel port -> server's s-tunnel port -> server's database port.

By setting stunnel with the relevant firewall rules you can have confidence that remote connections to the DB are using SSL.

查看更多
闹够了就滚
4楼-- · 2020-02-20 07:30

Do all jdbc drivers support ssl connection to db server and the use of ssl just depends on a specific db vendor?

Support for SSL/TLS is not mandated in the JDBC specification. So you cannot expect it in every driver.

SSL configuration on the database server could be inferred from the JDBC URL, but this need not be deterministic. In the case of Oracle, if you notice that the URL contains a connection string that indicates that the protocol in use is TCPS instead of TCP, which points to the use of SSL/TLS. If you are doing this to validate a security configuration, I would call you sloppy.

It is unwise to verify the client configuration alone to determine if the database server accepts connections over SSL, especially if non-SSL connections are disallowed. The mechanisms for verifying the SSL/TLS configuration will vary from database to database, but there would be appropriate security guides for configuring the database in each case.

If you want to do a quick test however, to verify if connectivity is over SSl/TLS, then all you have to know is that SSL/TLS secured connections are initiated with a handshake. If you do not see any, then your driver is not using SSL/TLS. You'll need to sniff network traffic for this (make sure that you have authorization to do so). Of course, it would take longer to establish the case if a connection pool were in use, for the physical connections in the pool might be reused time and again (without new connections being setup). Likewise, you might also find nmap to be useful, but I've never used it for this purpose.

查看更多
登录 后发表回答