Re: SSL certificates issue - Mailing list pgsql-general
From | Radosław Smogura |
---|---|
Subject | Re: SSL certificates issue |
Date | |
Msg-id | 25e64c8a8d5332a1757c8a91d2a7dfde@mail.softperience.eu Whole thread Raw |
In response to | Re: SSL certificates issue (Asia <asia123321@op.pl>) |
List | pgsql-general |
On Wed, 07 Sep 2011 12:03:45 +0200, Asia wrote: >> Asia <asia123321@op.pl> writes: >> > I would expect to have only one top-level CA cert in server's and >> client's root.crt and it was not possible to configure with 2-level >> intermediate CA. >> >> This seems a little confused, since in your previous message you >> stated >> that libpq worked correctly and JDBC did not, and now you seem to be >> saying the opposite. >> >> As far as libpq goes, I would expect it to function correctly in 9.0 >> and >> up (and it did function correctly, last I tested it). Previous >> releases >> will not do this nicely, for lack of this patch: >> >> http://git.postgresql.org/gitweb/?p=postgresql.git&a=commitdiff&h=4ed4b6c54 >> >> regards, tom lane >> > > > I apologise then, it seems I was not clear enough when explaining my > issue. > > I am using PostgreSQL, version 9.0. > > I have all of it (libpq and jdbc) working, however I have some doubts > about the correctness of my configuration. > > The situation is more or less like following: > > Client intermediate CA (root.crt): C1 -> C2, Client cert: C1 -> C2 > ->C3 > > Server intermediate CA (root.crt): C1 -> S1, Server Cert: C1 -> S1 -> > S2 > > I always use clientcert=1 in pg_hba to force mutual SSL. > > Now with the above configuration libpq connects fine. But when I > tried to use jdbc it requires me to append client's intermediate CA - > "C1 -> C2" > to server's root.crt. So server's root.crt content looks like > follows: > > C1 -> S1 -> C1 -> C2 > > Then jdbc conenction works fine and the change does not affect libpq > - it works fine like before. > > So my point was general why the behavior for libpq and jdbc driver is > not common (probably we would need some custom implementation of Java > SSL facory > for PostgreSQL) - both types of connection have different cert > configuration what I believe could be better when it was common. > > And the second issue is that you wrote that it should be enough to > put to-level CA certs. So I left only C1 in server's root.crt, > restarted server > and received following error during connection: > > SSL error: certificate verify failed > > The question is how to do it correctly? > > Please advise. > > Kind regards, > Joanna I think problem is as follows, server sends to client certificates it can accept (as accepted parents), without intermediate CA, Java sees only top-level cert and tries to find client cert issued directly by top-level CA, I may only assume, that without intermediate CA you will be able to auth against any cert signed by top-level CA (this may cause small security hole as well). I think this is not needed, but I suggest You too check cert "policies" with v3 extensions. Java is really pedantic, about security. Regards, Radek
pgsql-general by date: