Postgres Pro
Downloads
Home   >   mailing lists

Re: SSL certificates issue - Mailing list pgsql-general

From Asia
Subject Re: SSL certificates issue
Date
Msg-id 48636826-a09d4c1893554c6ea787bc2809479c60@pkn7.m5r2.onet
Whole thread Raw
In response to SSL certificates issue  (Asia <asia123321@op.pl>)
Responses Re: SSL certificates issue  (Radosław Smogura <rsmogura@softperience.eu>)
List pgsql-general
Tree view 
> Asia <asia123321@op.pl> writes:
> > I would expect to have only one top-level CA cert in server's and client's root.crt and it was not possible to
configurewith 2-level intermediate CA.  
>
> This seems a little confused, since in your previous message you stated
> that libpq worked correctly and JDBC did not, and now you seem to be
> saying the opposite.
>
> As far as libpq goes, I would expect it to function correctly in 9.0 and
> up (and it did function correctly, last I tested it).  Previous releases
> will not do this nicely, for lack of this patch:
> http://git.postgresql.org/gitweb/?p=postgresql.git&a=commitdiff&h=4ed4b6c54
>
>             regards, tom lane
>


I apologise then, it seems I was not clear enough when explaining my issue.

I am using PostgreSQL, version 9.0.

I have all of it (libpq and jdbc) working, however I have some doubts about the correctness of my configuration.

The situation is more or less like following:

Client intermediate CA (root.crt): C1 -> C2, Client cert: C1 -> C2 ->C3

Server intermediate CA (root.crt): C1 -> S1, Server Cert: C1 -> S1 -> S2

I always use clientcert=1 in pg_hba to force mutual SSL.

Now with the above configuration libpq connects fine. But when I tried to use jdbc it requires me to append client's
intermediateCA - "C1 -> C2"  
to server's root.crt. So server's root.crt content looks like follows:

C1 -> S1  ->  C1 -> C2

Then jdbc conenction works fine and the change does not affect libpq - it works fine like before.

So my point was general why the behavior for libpq and jdbc driver is not common (probably we would need some custom
implementationof Java SSL facory  
for PostgreSQL) - both types of connection have different cert configuration what I believe could be better when it was
common.

And the second issue is that you wrote that it should be enough to put to-level CA certs. So I left only C1 in server's
root.crt,restarted server 
and received following error during connection:

SSL error: certificate verify failed

The question is how to do it correctly?

Please advise.

Kind regards,
Joanna

pgsql-general by date:

Previous
From: "Albe Laurenz"
Date:
Subject: Re: Complex query question
Next
From: Radosław Smogura
Date:
Subject: Re: SSL certificates issue