Re: ssl connection issues - Mailing list pgsql-jdbc
From | Gabriele Bulfon |
---|---|
Subject | Re: ssl connection issues |
Date | |
Msg-id | 155033975.533.1536909986843@www Whole thread Raw |
In response to | ssl connection issues (Gabriele Bulfon <gbulfon@sonicle.com>) |
List | pgsql-jdbc |
Hi,
sorry I'm answering to my own original sent email, because for some unwanted filter I lost the thread emails from the list in my inbox...
Vladimir, here is the output from openssl:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=IT, ST=MI, L=Assago, O=Company S.p.A., CN=www.company.it/emailAddress=email@company.it
Validity
Not Before: Sep 11 07:40:57 2018 GMT
Not After : Sep 8 07:40:57 2028 GMT
Subject: C=IT, ST=MI, L=Assago, O=Company S.p.A., CN=server.name.com/emailAddress=email@company.it
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:99:1e:60:44:76:63:dc:9c:49:c3:d0:69:81:ac:
81:2a:19:28:01:70:9c:c9:d5:0b:22:b9:4c:78:75:
a9:d5:80:18:96:ad:cd:94:cd:cd:a4:36:0f:a6:06:
0f:c7:41:2f:66:43:49:08:53:ff:54:be:ad:bc:02:
76:eb:66:94:40:fa:4e:65:44:37:69:6d:43:62:9a:
5e:8a:46:30:d8:55:af:aa:27:bb:b8:e0:c3:ed:75:
2f:92:11:69:e5:24:c3:e8:d5:a4:92:52:22:b0:8e:
93:0d:57:95:25:e6:c0:c4:42:f8:36:67:fe:bb:d8:
22:51:f4:b3:e9:e8:dc:34:eb
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Server
Netscape Comment:
Easy-RSA Generated Server Certificate
X509v3 Subject Key Identifier:
B7:82:BB:04:2C:66:7E:78:72:D8:DD:2A:CB:84:A7:A9:8B:52:EB:5B
X509v3 Authority Key Identifier:
keyid:BC:ED:8A:2A:3A:D7:F9:B0:97:9C:18:9A:F5:01:D1:83:EB:32:C2:89
DirName:/C=IT/ST=MI/L=Assago/O=Company S.p.A./CN=www.company.it/emailAddress=email@company.it
serial:87:84:72:38:BB:2F:30:A2
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Key Usage:
Digital Signature, Key Encipherment
Signature Algorithm: sha1WithRSAEncryption
52:ae:b0:1f:6a:e8:ab:f3:ca:a5:bf:2e:96:75:a6:4a:a7:c1:
32:d0:c6:53:d2:c8:36:d1:00:f6:56:b5:d8:99:65:b0:3b:a1:
11:d6:63:d3:c5:60:5d:69:14:46:b3:10:a7:c5:f1:34:fe:c0:
b5:bc:90:72:c1:2b:ff:c8:e8:3d:54:d5:2a:0c:19:c3:f5:16:
ab:f2:cd:89:4e:eb:f6:b7:5a:36:43:c3:88:11:41:67:31:f8:
15:ad:45:19:50:0d:ec:fd:81:9b:03:47:f4:71:a0:f3:58:b6:
c8:a9:29:12:d9:a7:b3:00:77:d5:2c:7c:2e:de:10:fe:8f:52:
d4:c2
-----BEGIN CERTIFICATE-----
MIID2DCCA0GgAwIBAgIBATANBgkqhkiG9w0BAQUFADCBgzELMAkGA1UEBhMCSVQx
CzAJBgNVBAgTAk1JMQ8wDQYDVQQHEwZBc3NhZ28xGDAWBgNVBAoTD0VuY29kYXRh
IFMucC5BLjEYMBYGA1UEAxMPd3d3LmVuY29kYXRhLml0MSIwIAYJKoZIhvcNAQkB
FhNlbmNkYXRhQGVuY29kYXRhLml0MB4XDTE4MDkxMTA3NDA1N1oXDTI4MDkwODA3
NDA1N1owgYcxCzAJBgNVBAYTAklUMQswCQYDVQQIEwJNSTEPMA0GA1UEBxMGQXNz
YWdvMRgwFgYDVQQKEw9FbmNvZGF0YSBTLnAuQS4xHDAaBgNVBAMTE2lzY29ib2wu
c29uaWNsZS5jb20xIjAgBgkqhkiG9w0BCQEWE2VuY2RhdGFAZW5jb2RhdGEuaXQw
gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJkeYER2Y9ycScPQaYGsgSoZKAFw
nMnVCyK5THh1qdWAGJatzZTNzaQ2D6YGD8dBL2ZDSQhT/1S+rbwCdutmlED6TmVE
N2ltQ2KaXopGMNhVr6onu7jgw+11L5IRaeUkw+jVpJJSIrCOkw1XlSXmwMRC+DZn
/rvYIlH0s+no3DTrAgMBAAGjggFUMIIBUDAJBgNVHRMEAjAAMBEGCWCGSAGG+EIB
AQQEAwIGQDA0BglghkgBhvhCAQ0EJxYlRWFzeS1SU0EgR2VuZXJhdGVkIFNlcnZl
ciBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUt4K7BCxmfnhy2N0qy4SnqYtS61swgbgG
A1UdIwSBsDCBrYAUvO2KKjrX+bCXnBia9QHRg+sywomhgYmkgYYwgYMxCzAJBgNV
BAYTAklUMQswCQYDVQQIEwJNSTEPMA0GA1UEBxMGQXNzYWdvMRgwFgYDVQQKEw9F
bmNvZGF0YSBTLnAuQS4xGDAWBgNVBAMTD3d3dy5lbmNvZGF0YS5pdDEiMCAGCSqG
SIb3DQEJARYTZW5jZGF0YUBlbmNvZGF0YS5pdIIJAIeEcji7LzCiMBMGA1UdJQQM
MAoGCCsGAQUFBwMBMAsGA1UdDwQEAwIFoDANBgkqhkiG9w0BAQUFAAOBgQBSrrAf
auir88qlvy6WdaZKp8Ey0MZT0sg20QD2VrXYmWWwO6ER1mPTxWBdaRRGsxCnxfE0
/sC1vJBywSv/yOg9VNUqDBnD9Rar8s2JTuv2t1o2Q8OIEUFnMfgVrUUZUA3s/YGb
A0f0caDzWLbIqSkS2aezAHfVLHwu3hD+j1LUwg==
-----END CERTIFICATE-----
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=IT, ST=MI, L=Assago, O=Company S.p.A., CN=www.company.it/emailAddress=email@company.it
Validity
Not Before: Sep 11 07:40:57 2018 GMT
Not After : Sep 8 07:40:57 2028 GMT
Subject: C=IT, ST=MI, L=Assago, O=Company S.p.A., CN=server.name.com/emailAddress=email@company.it
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:99:1e:60:44:76:63:dc:9c:49:c3:d0:69:81:ac:
81:2a:19:28:01:70:9c:c9:d5:0b:22:b9:4c:78:75:
a9:d5:80:18:96:ad:cd:94:cd:cd:a4:36:0f:a6:06:
0f:c7:41:2f:66:43:49:08:53:ff:54:be:ad:bc:02:
76:eb:66:94:40:fa:4e:65:44:37:69:6d:43:62:9a:
5e:8a:46:30:d8:55:af:aa:27:bb:b8:e0:c3:ed:75:
2f:92:11:69:e5:24:c3:e8:d5:a4:92:52:22:b0:8e:
93:0d:57:95:25:e6:c0:c4:42:f8:36:67:fe:bb:d8:
22:51:f4:b3:e9:e8:dc:34:eb
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Server
Netscape Comment:
Easy-RSA Generated Server Certificate
X509v3 Subject Key Identifier:
B7:82:BB:04:2C:66:7E:78:72:D8:DD:2A:CB:84:A7:A9:8B:52:EB:5B
X509v3 Authority Key Identifier:
keyid:BC:ED:8A:2A:3A:D7:F9:B0:97:9C:18:9A:F5:01:D1:83:EB:32:C2:89
DirName:/C=IT/ST=MI/L=Assago/O=Company S.p.A./CN=www.company.it/emailAddress=email@company.it
serial:87:84:72:38:BB:2F:30:A2
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Key Usage:
Digital Signature, Key Encipherment
Signature Algorithm: sha1WithRSAEncryption
52:ae:b0:1f:6a:e8:ab:f3:ca:a5:bf:2e:96:75:a6:4a:a7:c1:
32:d0:c6:53:d2:c8:36:d1:00:f6:56:b5:d8:99:65:b0:3b:a1:
11:d6:63:d3:c5:60:5d:69:14:46:b3:10:a7:c5:f1:34:fe:c0:
b5:bc:90:72:c1:2b:ff:c8:e8:3d:54:d5:2a:0c:19:c3:f5:16:
ab:f2:cd:89:4e:eb:f6:b7:5a:36:43:c3:88:11:41:67:31:f8:
15:ad:45:19:50:0d:ec:fd:81:9b:03:47:f4:71:a0:f3:58:b6:
c8:a9:29:12:d9:a7:b3:00:77:d5:2c:7c:2e:de:10:fe:8f:52:
d4:c2
-----BEGIN CERTIFICATE-----
MIID2DCCA0GgAwIBAgIBATANBgkqhkiG9w0BAQUFADCBgzELMAkGA1UEBhMCSVQx
CzAJBgNVBAgTAk1JMQ8wDQYDVQQHEwZBc3NhZ28xGDAWBgNVBAoTD0VuY29kYXRh
IFMucC5BLjEYMBYGA1UEAxMPd3d3LmVuY29kYXRhLml0MSIwIAYJKoZIhvcNAQkB
FhNlbmNkYXRhQGVuY29kYXRhLml0MB4XDTE4MDkxMTA3NDA1N1oXDTI4MDkwODA3
NDA1N1owgYcxCzAJBgNVBAYTAklUMQswCQYDVQQIEwJNSTEPMA0GA1UEBxMGQXNz
YWdvMRgwFgYDVQQKEw9FbmNvZGF0YSBTLnAuQS4xHDAaBgNVBAMTE2lzY29ib2wu
c29uaWNsZS5jb20xIjAgBgkqhkiG9w0BCQEWE2VuY2RhdGFAZW5jb2RhdGEuaXQw
gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJkeYER2Y9ycScPQaYGsgSoZKAFw
nMnVCyK5THh1qdWAGJatzZTNzaQ2D6YGD8dBL2ZDSQhT/1S+rbwCdutmlED6TmVE
N2ltQ2KaXopGMNhVr6onu7jgw+11L5IRaeUkw+jVpJJSIrCOkw1XlSXmwMRC+DZn
/rvYIlH0s+no3DTrAgMBAAGjggFUMIIBUDAJBgNVHRMEAjAAMBEGCWCGSAGG+EIB
AQQEAwIGQDA0BglghkgBhvhCAQ0EJxYlRWFzeS1SU0EgR2VuZXJhdGVkIFNlcnZl
ciBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUt4K7BCxmfnhy2N0qy4SnqYtS61swgbgG
A1UdIwSBsDCBrYAUvO2KKjrX+bCXnBia9QHRg+sywomhgYmkgYYwgYMxCzAJBgNV
BAYTAklUMQswCQYDVQQIEwJNSTEPMA0GA1UEBxMGQXNzYWdvMRgwFgYDVQQKEw9F
bmNvZGF0YSBTLnAuQS4xGDAWBgNVBAMTD3d3dy5lbmNvZGF0YS5pdDEiMCAGCSqG
SIb3DQEJARYTZW5jZGF0YUBlbmNvZGF0YS5pdIIJAIeEcji7LzCiMBMGA1UdJQQM
MAoGCCsGAQUFBwMBMAsGA1UdDwQEAwIFoDANBgkqhkiG9w0BAQUFAAOBgQBSrrAf
auir88qlvy6WdaZKp8Ey0MZT0sg20QD2VrXYmWWwO6ER1mPTxWBdaRRGsxCnxfE0
/sC1vJBywSv/yOg9VNUqDBnD9Rar8s2JTuv2t1o2Q8OIEUFnMfgVrUUZUA3s/YGb
A0f0caDzWLbIqSkS2aezAHfVLHwu3hD+j1LUwg==
-----END CERTIFICATE-----
Sonicle S.r.l. : http://www.sonicle.com
Quantum Mechanics : http://www.cdbaby.com/cd/gabrielebulfon
Da: Gabriele Bulfon <gbulfon@sonicle.com>
A: pgsql-jdbc@lists.postgresql.org
Data: 13 settembre 2018 14.23.45 CEST
Oggetto: ssl connection issues
Hello,I recently configured Postgresql 9.0.9 with SSL only "on" and all its needed server certificates.I then created the client certificates and started working with them from a windows client.At first I used them with tools like Navicat, just specified the 3 certs files (key,crt and root.crt) in the ssl pane, worked fine.Then I tried with ODBC, placed the files in %APPDATA%/postgresql with correct names (postgresql.key, postgresql.crt, root.crt), created the connection and tested it, worked fine.Last I tried with jdbc, thinking it would have been so easy: I'm fighting for 2 days with lots of different issues.After some messing, I also finally discovered that, different from odbc, it would look for a pk8 file (why this difference?).I created the pk8 file on the server from the original key used for odbc, with the command:# openssl pkcs8 -topk8 -in client.key -out client.pk8 -outform DER -nocryptplaced the pk8 file in %APPDATA%/postgresql and launched my test java connection:Connection con=DriverManager.getConnection("jdbc:postgresql://myhost:5432/mydb?ssl=true&loggerLevel=DEBUG&sslfactory=org.postgresql.ssl.jdbc4.LibPQFactory&sslmode=require","user","pass");And now I get this:Exception in thread "main" org.postgresql.util.PSQLException: SSL error: Received fatal alert: decrypt_error
at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:42)
at org.postgresql.core.v3.ConnectionFactoryImpl.enableSSL(ConnectionFactoryImpl.java:435)
at org.postgresql.core.v3.ConnectionFactoryImpl.tryConnect(ConnectionFactoryImpl.java:94)
at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:192)
at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:49)
at org.postgresql.jdbc.PgConnection.<init>(PgConnection.java:195)
at org.postgresql.Driver.makeConnection(Driver.java:454)
at org.postgresql.Driver.connect(Driver.java:256)
at java.sql.DriverManager.getConnection(DriverManager.java:664)
at java.sql.DriverManager.getConnection(DriverManager.java:247)
at com.sonicle.aliseo.server.TestPostgresSSL.main(TestPostgresSSL.java:23)
Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: decrypt_error
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2023)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1125)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:40)
... 10 moreTried both with jdk1.7 and jdk1.8 and openjdk1.8.Any idea?
GabrieleSonicle S.r.l. : http://www.sonicle.comQuantum Mechanics : http://www.cdbaby.com/cd/gabrielebulfon
pgsql-jdbc by date: