[Babase] Re: Ranker security problems

Jun Yang junyang at gmail.com
Sat Sep 22 13:17:10 EDT 2007


Hi Karl:

Thanks!  I am currently traveling (returning on October 1), but
managed to find an Internet connection to make the changes you
suggested below. (BTW, the code on papio is at
/home/junyang/ranker/BabaseRanker-1.0/)

The version has now been deployed, but I cannot test it.  Lacey, can
you give the new version a try?

Thanks,

--- Jun Y.

On 9/20/07, Karl O. Pinc <kop at meme.com> wrote:
>
> On 09/02/2007 06:05:19 PM, Karl O. Pinc wrote:
> >
> > On 08/31/2007 08:20:05 PM, Jun Yang wrote:
> >> How are we going to resolve this problem?  This doesn't seem to be
> >> something I could fix in the ranker code---sounds more like a setup
> >> issue on papio?
> >
> > Papio is setup for the simplest possible SSL connection,
> > no certificate at all is required.
>
> The problem is that the jdbc library used by the ranker
> assumes the use of a certificate.  For how to prevent this see:
>
> Using SSL without Certificate Validation
> http://jdbc.postgresql.org/documentation/81/ssl-client.html#nonvalidating
>
> Appended is a patch to BabaseRanker/babase/ranker/Database.java.
> This probably fixes the problem, but I didn't test it.
> In fact I've not yet figured out how to compile it or
> put it  in a jar file, so there could be something grossly wrong.
>
> Something that's surely wrong is that the code is from Tyler's
> old ranker version found at:
> https://papio.biology.duke.edu/babasewiki/RankerProgram?action=AttachFile
> in the currentbabase.zip file.
>
> I think it'd be a good idea to put the new code on papio somewhere.
>
> Note that the patch has tabs in it, and these will probably
> be munged by inclusion in an email.
>
> Karl <kop at meme.com>
> Free Software:  "You don't pay back, you pay forward."
>                   -- Robert A. Heinlein
>
> ----------<snip>----------------
>
> --- Database.java       2007-05-17 00:30:42.000000000 -0500
> +++ Database.java.new   2007-09-20 17:03:35.000000000 -0500
> @@ -63,7 +63,14 @@
>          * @throws SQLException if it cannot connect
>          */
>         public void connect(String user, String pass, String db) throws
> SQLException {
> -               myConnection =
> DriverManager.getConnection("jdbc:postgresql://172.16.3.1:5432/"+db,
> user, pass);
> +               String url =
> "jdbc:postgresql://papio.biology.duke.edu:5432/"+db;
> +               Properties props = new Properties();
> +               props.SetProperty("user", user);
> +               props.SetProperty("password", pass);
> +               /* Connect with ssl, but without a certificate. */
> +               props.SetProperty("ssl", true);
> +               props.SetProperty("sslfactory",
> "org.postgresql.ssl.NonValidatingFactory");
> +               myConnection = DriverManager.getConnection(url, props);
>                 myConnectionStatus = true;
>                 myDB = db;
>         }
>
>


More information about the Babase mailing list