我的JDBC连接到数据库是否使用SSL

我的JDBC连接到数据库是否使用SSL

本文介绍了我的JDBC连接到数据库是否使用SSL?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

如何知道JDBC连接到SQL Server是否安全(即使用SSL)?

How can one know if the JDBC connection to an SQL server is secure (i.e. uses SSL) or not?

例如从URL显而易见。所有JDBC驱动程序都支持与数据库服务器的SSL连接,还是使用SSL只是依赖于特定的数据库供应商?

Is it obvious for example from the URL. Do all JDBC drivers support SSL connections to the database server, or does the use of SSL just depends on the specific database vendor?

推荐答案

JDBC规范中不强制支持SSL / TLS。所以你不能指望每个驱动程序。

Support for SSL/TLS is not mandated in the JDBC specification. So you cannot expect it in every driver.

数据库服务器上的SSL配置可以从JDBC URL中推断出来,但这不一定是确定性的。在Oracle的情况下,如果您注意到该URL包含一个连接字符串,表示正在使用的协议是TCPS而不是TCP,它指向使用SSL / TLS。如果你这样做来验证一个安全配置,我会称之为马虎。

SSL configuration on the database server could be inferred from the JDBC URL, but this need not be deterministic. In the case of Oracle, if you notice that the URL contains a connection string that indicates that the protocol in use is TCPS instead of TCP, which points to the use of SSL/TLS. If you are doing this to validate a security configuration, I would call you sloppy.

单独验证客户端配置以确定数据库服务器是否接受连接是不明智的SSL,特别是如果不允许非SSL连接。用于验证SSL / TLS配置的机制将因数据库而异,但在每种情况下都有适当的安全指南来配置数据库。

It is unwise to verify the client configuration alone to determine if the database server accepts connections over SSL, especially if non-SSL connections are disallowed. The mechanisms for verifying the SSL/TLS configuration will vary from database to database, but there would be appropriate security guides for configuring the database in each case.

如果您要但是,要快速测试,要验证连接是否超过SSI / TLS,那么您必须知道的是,SSL / TLS安全连接是通过握手启动的。如果没有看到,那么您的驱动程序不使用SSL / TLS。您将需要嗅探网络流量(请确保您有权这样做)。当然,如果连接池正在使用,则需要更长时间才能建立连接池,因为池中的物理连接可能会重复使用(不需要设置新的连接)。同样,你也可能会发现nmap是有用的,但是我从来没有使用过它。

If you want to do a quick test however, to verify if connectivity is over SSl/TLS, then all you have to know is that SSL/TLS secured connections are initiated with a handshake. If you do not see any, then your driver is not using SSL/TLS. You'll need to sniff network traffic for this (make sure that you have authorization to do so). Of course, it would take longer to establish the case if a connection pool were in use, for the physical connections in the pool might be reused time and again (without new connections being setup). Likewise, you might also find nmap to be useful, but I've never used it for this purpose.

这篇关于我的JDBC连接到数据库是否使用SSL?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

08-13 15:43