Menu
How can one know if the JDBC connection to an SQL server is secure (i.e. uses SSL) or not?
Is it obvious for example from the URL. Do all JDBC drivers support SSL connections to the database server, or does the use of SSL just depends on the specific database vendor?
954
You can configure database connections for the to use the Secure Sockets Layer (SSL) protocol. The client must use the same public key certificate file as the server.
Encryption of JDBC connection is managed by parameters passed to the third party JDBC client jars that are supplied by the JDBC provider. You can use the IBM® Integration Bus JDBCProviders configurable service or a vendor-specific configuration file to pass the parameters.
2 and later, FairCom DB SQL JDBC supports TLS connections per the JDBC standard. Enable TLS in a JDBC connection URL using the ssl=value parameter string. TLS connections are enabled in the JDBC connection URL using the new format (it is not supported on the old URL format) and a new parameter ssl.
5.1 About the Java Implementation. The Java implementation of Oracle Advanced Security provides network encryption and integrity protection for Thin JDBC clients communicating with Oracle Databases that have Oracle Advanced Security enabled. This section contains the following topics: Java Database Connectivity Support.
Do all jdbc drivers support ssl connection to db server and the use of ssl just depends on a specific db vendor?
Support for SSL/TLS is not mandated in the JDBC specification. So you cannot expect it in every driver.
SSL configuration on the database server could be inferred from the JDBC URL, but this need not be deterministic. In the case of Oracle, if you notice that the URL contains a connection string that indicates that the protocol in use is TCPS instead of TCP, which points to the use of SSL/TLS. If you are doing this to validate a security configuration, I would call you sloppy.
It is unwise to verify the client configuration alone to determine if the database server accepts connections over SSL, especially if non-SSL connections are disallowed. The mechanisms for verifying the SSL/TLS configuration will vary from database to database, but there would be appropriate security guides for configuring the database in each case.
If you want to do a quick test however, to verify if connectivity is over SSl/TLS, then all you have to know is that SSL/TLS secured connections are initiated with a handshake. If you do not see any, then your driver is not using SSL/TLS. You'll need to sniff network traffic for this (make sure that you have authorization to do so). Of course, it would take longer to establish the case if a connection pool were in use, for the physical connections in the pool might be reused time and again (without new connections being setup). Likewise, you might also find nmap to be useful, but I've never used it for this purpose.
196
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
