the problem was traced to server certificate expiration
the problematic server cert is signed by a commercial CA. i think
problem is caused by jdbc not connecting to expired certificate
however jdbc had not been checking that hostname is the same as CN ;
so i had assumed that i does no other checking.
since psql was working it confused me even more. replacing with
unexpired commercial certificate fixes the problem although this new
cert CN does match the hostname.
jdbc also does not like unexpired server cert signed by the company CA.
good to learn something new.
very sorry about the noise.
On Fri, Feb 4, 2011 at 8:48 PM, zhong ming wu <mr.z.m.wu@gmail.com> wrote:
> Dear List
>
> I am not a very experienced user of jdbc although have been using
> postgresql for many years having done many server installation and
> administering them.
>
> From three different systems (mac, windows, and centos virtualbox)
> behind 1 ip address I had succeeded in getting ssl connection to a
> remote server via jdbc. (That after much struggle on centOS
> glassfish; turns out i had to run
> "asadmin set domain.resources.jdbc-connection-pool.connectionPool.property.JDBC30DataSource=true"
> at glassfish account)
>
> On mac and windows the connection is set up via netbeans/glassfish.
> All were working very well for about two weeks up until yesterday
> evening.
>
> Today all three connections stop working for no apparent reason. I
> had not touched any settings on the postgresql server.
>
> In server log I only get this,
>
> LOG: could not accept SSL connection: sslv3 alert certificate unknown
>
> Yes I googled this problem and find pages seemingly not relevant to my
> problem. I know I have ssl connection right because it was working
> just 24 hours ago with no changes in server or client settings.
>
> Even weirder I can still connect to this server using psql from centOS
> virtualbox. See this
> ------------------
> /usr/local/pg/bin/psql -U mail -h server.address -p 5433 mail
> Password for user mail:
> psql (9.0.2)
> SSL connection (cipher: DHE-RSA-AES256-SHA, bits: 256)
> Type "help" for help.
>
> mail=>
> -----------
>
> Any suggestions? Do I suddenly need to enter server ssl cert into
> keystore of glassfish server now? But I didn't need it before!
>
> Some webpages mention using property
> sslfactory=org.postgresql.ssl.NonValidatingFactory
>
> That does not seem to help much.
>
> Thanks
>
> mr wu
>
