Connect to CockroachDB with SSL + client cert
157 views
Skip to first unread message
Kevin Cox
Nov 17, 2017, 1:21:25 PM11/17/17
to vert.x
Hi,
I'm trying to connect to CockroachDB (which acts like Postgres) via any of the Vertx data_access modules or alternatives using SSL and client certs.
I am wondering if any of these module support SSL/TLS plus client certs? I have been able to connect insecurely (just user/pwd) no problem.
I have not found any docs or examples regarding certs for connections similar to the blocking JDBC driver connection properties. The configuration should be very similar to connecting to Postgres over SSL.
Is anyone aware if it's possible or examples - or connected to CockroachDB via SSL successfully?
I did see in the vertx-mysql-postgresql-client module that uses mauricio/postgresql-async, that the mauricio lib supports sslmode verify-ca and verify-full, but these don't seem to be bubbled up to vertx-mysql-postgresql-client to use.
My alternative is to use the blocking driver and wrap all the db calls with vertx.executeBlocking to deal with the blocking.
Thank you for your advise,
Kevin
I'm trying to connect to CockroachDB (which acts like Postgres) via any of the Vertx data_access modules or alternatives using SSL and client certs.
I am wondering if any of these module support SSL/TLS plus client certs? I have been able to connect insecurely (just user/pwd) no problem.
I have not found any docs or examples regarding certs for connections similar to the blocking JDBC driver connection properties. The configuration should be very similar to connecting to Postgres over SSL.
Is anyone aware if it's possible or examples - or connected to CockroachDB via SSL successfully?
I did see in the vertx-mysql-postgresql-client module that uses mauricio/postgresql-async, that the mauricio lib supports sslmode verify-ca and verify-full, but these don't seem to be bubbled up to vertx-mysql-postgresql-client to use.
My alternative is to use the blocking driver and wrap all the db calls with vertx.executeBlocking to deal with the blocking.
Thank you for your advise,
Kevin
Phil Lehmann
Nov 17, 2017, 3:06:39 PM11/17/17
to vert.x
I personally connect to Postgres using SSH to the Postgres host and then authenticate using username / password locally, while disabling any other login (from any other host) on the Postgres server.
That way, I have encryption + async - but indeed no client certification. As Postgres is not reachable from other hosts, the only way to hack into it is to hack the host. Then, it's probably easier to do a priviledge escalation and retrieve the Postgres data files than to bruteforce into Postgres using username / password.
KR
Phil
Emad Alblueshi
Dec 8, 2017, 1:08:11 PM12/8/17
to vert.x
I have contributed in this driver
https://github.com/vietj/reactive-pg-client
Can you try that and give us your feedback
Emad,
Reply all
Reply to author
Forward
0 new messages