Thread: SSL Problem

SSL Problem

From
"Stefano Bonnin"
Date:
Hi, I have seen the same problem in the past of this list but I don't know how (and if) it has been solved.
I'm trying to connect my java stand alone application with postgres 7.4.2 via SSL.
 
I followed the istructions
...
...
and then I tryed an SSL connection with pgAdmin: all works correctly
After I tryed to connect via java and the following error appear on the screen:
 
 
PostgreSQL 7.4.3 JDBC3 with SSL (build 214)
    ssl = true
    compatible = 7.4
    loglevel = 2
Using Protocol Version3
Asking server if it supports ssl
Server response was (S=Yes,N=No): S
server does support ssl
converting regular socket connection to ssl
org.postgresql.util.PSQLException
        at org.postgresql.core.PGStream.flush(PGStream.java:415)
        at org.postgresql.jdbc1.AbstractJdbc1Connection.openConnectionV3(Abstrac
tJdbc1Connection.java:284)
        at org.postgresql.jdbc1.AbstractJdbc1Connection.openConnection(AbstractJ
dbc1Connection.java:213)
        at org.postgresql.Driver.connect(Driver.java:139)
        at java.sql.DriverManager.getConnection(DriverManager.java:512)
        at java.sql.DriverManager.getConnection(DriverManager.java:140)
        at SmitConnection.<init>(SmitConnection.java:42)
        at Config.<init>(Config.java:120)
        at ServerTask$RemindTask.run(ServerTask.java:146)
        at java.util.TimerThread.mainLoop(Timer.java:432)
        at java.util.TimerThread.run(Timer.java:382)
Exception: org.postgresql.util.PSQLException: Si Þ verificato un errore di I/O m
entre si svuotava il buffer duscita - {0}
getConnection failed: org.postgresql.util.PSQLException: Si Þ verificato un erro
re di I/O mentre si svuotava il buffer duscita - {0}
Syncroro: errore nella fase di connessione al database di sistema.
org.postgresql.util.PSQLException: Si Þ verificato un errore di I/O mentre si sv
uotava il buffer duscita - {0}
        at org.postgresql.core.PGStream.flush(PGStream.java:415)
        at org.postgresql.jdbc1.AbstractJdbc1Connection.openConnectionV3(Abstrac
tJdbc1Connection.java:284)
        at org.postgresql.jdbc1.AbstractJdbc1Connection.openConnection(AbstractJ
dbc1Connection.java:213)
        at org.postgresql.Driver.connect(Driver.java:139)
        at java.sql.DriverManager.getConnection(DriverManager.java:512)
        at java.sql.DriverManager.getConnection(DriverManager.java:140)
        at SmitConnection.<init>(SmitConnection.java:42)
        at Config.<init>(Config.java:120)
        at ServerTask$RemindTask.run(ServerTask.java:146)
        at java.util.TimerThread.mainLoop(Timer.java:432)
        at java.util.TimerThread.run(Timer.java:382)
java.lang.NullPointerException
        at Config.<init>(Config.java:122)
        at ServerTask$RemindTask.run(ServerTask.java:146)
        at java.util.TimerThread.mainLoop(Timer.java:432)
        at java.util.TimerThread.run(Timer.java:382)
 
I'have no changed my java code. I have only changed the jdbc url by adding ?ssl&loglevel=2 at the end of the url.
 
Thanks in advance.
 
RedS

Re: SSL Problem

From
Kris Jurka
Date:

On Wed, 14 Jul 2004, Stefano Bonnin wrote:

> Hi, I have seen the same problem in the past of this list but I don't
> know how (and if) it has been solved. I'm trying to connect my java
> stand alone application with postgres 7.4.2 via SSL.
>
> I followed the istructions ...
> http://archives.postgresql.org/pgsql-jdbc/2003-08/msg00110.php ... and
> then I tryed an SSL connection with pgAdmin: all works correctly After I
> tryed to connect via java and the following error appear on the screen:
>
> converting regular socket connection to ssl
> org.postgresql.util.PSQLException
>         at org.postgresql.core.PGStream.flush(PGStream.java:415)
>         at org.postgresql.jdbc1.AbstractJdbc1Connection.openConnectionV3(Abstrac
> tJdbc1Connection.java:284)

I can't say I've seen this error before.  Do you have any other
information?  The server log might say something about what happened on
that end.

Kris Jurka


Re: SSL Problem

From
"Stefano Bonnin"
Date:
The postgresql server log gives me the following error:

****
 could not initialize SSL connection: sslv3 alert certificate unknown
****

What's wrong in my operations?
About the certificate I did the following operations:

cd \ postgres_data_dir
openssl req -new -text -out server.req
openssl rsa -in privkey.pem -out server.key
rm privkey.pem
openssl req -x509 -in server.req -text -key server.key -out server.crt
chmod og-rwx server.key
openssl x509 -in server.crt -out server.crt.der -outform der

keytool -keystore /usr/local/j2sdk1.4.2_04/jre/lib/security/cacerts -alias
postgres -import -file server.crt.der

... then I typed changeit as password


What I did't undestand in this steps is the following:

keytool -keystore ... etc ...

import the certificate in the java keystore and the JDBC driver *must* find
the certificate in the keystore and download it on the client, is't true? (I
dont't know if this is true) BUT if my affermation is true HOW the JDBC
driver (on the client) can find it in
/usr/local/j2sdk1.4.2_04/jre/lib/security?


Reds.

----- Original Message -----
From: "Kris Jurka" <books@ejurka.com>
To: "Stefano Bonnin" <stefano.bonnin@comai.to>
Cc: <pgsql-jdbc@postgresql.org>
Sent: Thursday, July 15, 2004 9:44 AM
Subject: Re: [JDBC] SSL Problem


>
>
> On Wed, 14 Jul 2004, Stefano Bonnin wrote:
>
> > Hi, I have seen the same problem in the past of this list but I don't
> > know how (and if) it has been solved. I'm trying to connect my java
> > stand alone application with postgres 7.4.2 via SSL.
> >
> > I followed the istructions ...
> > http://archives.postgresql.org/pgsql-jdbc/2003-08/msg00110.php ... and
> > then I tryed an SSL connection with pgAdmin: all works correctly After I
> > tryed to connect via java and the following error appear on the screen:
> >
> > converting regular socket connection to ssl
> > org.postgresql.util.PSQLException
> >         at org.postgresql.core.PGStream.flush(PGStream.java:415)
> >         at
org.postgresql.jdbc1.AbstractJdbc1Connection.openConnectionV3(Abstrac
> > tJdbc1Connection.java:284)
>
> I can't say I've seen this error before.  Do you have any other
> information?  The server log might say something about what happened on
> that end.
>
> Kris Jurka
>
>
> ---------------------------(end of broadcast)---------------------------
> TIP 2: you can get off all lists at once with the unregister command
>     (send "unregister YourEmailAddressHere" to majordomo@postgresql.org)
>


Re: SSL Problem

From
Kris Jurka
Date:

On Thu, 15 Jul 2004, Stefano Bonnin wrote:
> keytool -keystore /usr/local/j2sdk1.4.2_04/jre/lib/security/cacerts -alias
> postgres -import -file server.crt.der
>
> What I did't undestand in this steps is the following:
>
> keytool -keystore ... etc ...
>
> import the certificate in the java keystore and the JDBC driver *must* find
> the certificate in the keystore and download it on the client, is't true? (I
> dont't know if this is true) BUT if my affermation is true HOW the JDBC
> driver (on the client) can find it in
> /usr/local/j2sdk1.4.2_04/jre/lib/security?

The certificate must be available to the client.  There is no "find and
download" going on.  These instructions were likely written for the client
on the same machine as the server so it was not emphasized that the cert
needs to be available to the client JVM.

Kris Jurka

Re: SSL Problem

From
"Stefano Bonnin"
Date:
ok,thanks
but now, do you have any idea?

in the previuos e-mail I sent you only the server error now I send you the
server log messages at postgres startup time:

2004-07-15 14:03:40 LOG:  could not load root certificate file
"/usr/local/pgsql-7.4.2/bin/../../pgsql-7.4.1/data/root.crt": No such file
or directory
DETAIL:  Will not verify client certificates.
2004-07-15 14:03:40 LOG:  could not create IPv6 socket: Famiglia
dell'indirizzo non gestita dal protocollo
2004-07-15 14:03:40 LOG:  database system was shut down at 2004-07-15
14:03:40 CEST
2004-07-15 14:03:40 LOG:  checkpoint record is at 11/F6DC6DB4
2004-07-15 14:03:40 LOG:  redo record is at 11/F6DC6DB4; undo record is at
0/0; shutdown TRUE
2004-07-15 14:03:40 LOG:  next transaction ID: 27829164; next OID: 45696008
2004-07-15 14:03:40 LOG:  database system is ready

It doesn't find any root.crt, this is right, I think.

Thanks in advance.

RedS

----- Original Message -----
From: "Kris Jurka" <books@ejurka.com>
To: "Stefano Bonnin" <stefano.bonnin@comai.to>
Cc: <pgsql-jdbc@postgresql.org>
Sent: Thursday, July 15, 2004 3:40 PM
Subject: Re: [JDBC] SSL Problem


>
>
> On Thu, 15 Jul 2004, Stefano Bonnin wrote:
> > keytool -keystore
/usr/local/j2sdk1.4.2_04/jre/lib/security/cacerts -alias
> > postgres -import -file server.crt.der
> >
> > What I did't undestand in this steps is the following:
> >
> > keytool -keystore ... etc ...
> >
> > import the certificate in the java keystore and the JDBC driver *must*
find
> > the certificate in the keystore and download it on the client, is't
true? (I
> > dont't know if this is true) BUT if my affermation is true HOW the JDBC
> > driver (on the client) can find it in
> > /usr/local/j2sdk1.4.2_04/jre/lib/security?
>
> The certificate must be available to the client.  There is no "find and
> download" going on.  These instructions were likely written for the client
> on the same machine as the server so it was not emphasized that the cert
> needs to be available to the client JVM.
>
> Kris Jurka
>


Re: SSL Problem

From
Kris Jurka
Date:

On Thu, 15 Jul 2004, Stefano Bonnin wrote:

> 2004-07-15 14:03:40 LOG:  could not load root certificate file
> "/usr/local/pgsql-7.4.2/bin/../../pgsql-7.4.1/data/root.crt": No such file
> or directory
> DETAIL:  Will not verify client certificates.

This is fine.  You do not need a root.crt file.   This is used to
authenticate clients to the server which is optional and not necessary to
establish a SSL connection.

Again the problem seems to be that you have not made the server cert
available to the connecting jvm.  Adding -Djavax.net.debug=ssl to your
java command will produce a lot of debug information, but will likely
confirm this.  The key line will be in the first part of the output where
it displays which trustStore you are using.  The server cert must be in
this file.

Kris Jurka

problema con el backend

From
tgutierrez@unipamplona.edu.co
Date:
cordial saludo Investigadores de postgreSQL

me esta ocurriendo el siguiente error

y no se que serà porque me habla de error de entrada y salida

el aplicativo si abre otras tablas y trabaja en ella denro de la misma
base de datos

pero al consultar en una tablita reporta en el sigueite error:

Error ::> portal.bdatos ::> clase UsuarioDAO ::> function validar(String
usuario, String password) ::> SQLException ::> An I/O error occured while
reading from backend - Exception: java.net.SocketException: Connection
timed out
Stack Trace:


Att,

Tania Gutierrez

Re: SSL Problem

From
"Stefano Bonnin"
Date:
Problem solved.

I copied the certificate that I created on the server to the client and then
I execute "keytool" on the client.
So, every time that I install my application on a new PC I have to execute
keytool operation on that machine.

Thaks for the help.
RedS
----- Original Message -----
From: "Kris Jurka" <books@ejurka.com>
To: "Stefano Bonnin" <stefano.bonnin@comai.to>
Cc: <pgsql-jdbc@postgresql.org>
Sent: Thursday, July 15, 2004 8:18 PM
Subject: Re: [JDBC] SSL Problem


>
>
> On Thu, 15 Jul 2004, Stefano Bonnin wrote:
>
> > 2004-07-15 14:03:40 LOG:  could not load root certificate file
> > "/usr/local/pgsql-7.4.2/bin/../../pgsql-7.4.1/data/root.crt": No such
file
> > or directory
> > DETAIL:  Will not verify client certificates.
>
> This is fine.  You do not need a root.crt file.   This is used to
> authenticate clients to the server which is optional and not necessary to
> establish a SSL connection.
>
> Again the problem seems to be that you have not made the server cert
> available to the connecting jvm.  Adding -Djavax.net.debug=ssl to your
> java command will produce a lot of debug information, but will likely
> confirm this.  The key line will be in the first part of the output where
> it displays which trustStore you are using.  The server cert must be in
> this file.
>
> Kris Jurka
>
> ---------------------------(end of broadcast)---------------------------
> TIP 5: Have you checked our extensive FAQ?
>
>                http://www.postgresql.org/docs/faqs/FAQ.html
>


Re: SSL Problem

From
José Carlos Stevenson
Date:
Dear Stefano and Kris,

I've been using JWS to deploy an application that uses postgresql.
I've configured pg to use MD5 for a minimum of security (user and
passwd) - how can I deploy an app that uses SSL WITHOUT having to run
keytool on each machine?
Can I "show" the certificate (self signed) and ask the user if he/she
would like to accept it as valied? Is thera a HOWTO anywhere or some
sample code showing how to do that?
I also have the same problem using LDAP (and OpenLDAP)...

Thanks in advance,
José Carlos Stevenson.

Stefano Bonnin wrote:
> Problem solved.
>
> I copied the certificate that I created on the server to the client and then
> I execute "keytool" on the client.
> So, every time that I install my application on a new PC I have to execute
> keytool operation on that machine.
>
> Thaks for the help.
> RedS
> ----- Original Message -----
> From: "Kris Jurka" <books@ejurka.com>
> To: "Stefano Bonnin" <stefano.bonnin@comai.to>
> Cc: <pgsql-jdbc@postgresql.org>
> Sent: Thursday, July 15, 2004 8:18 PM
> Subject: Re: [JDBC] SSL Problem
>
>
>
>>
>>On Thu, 15 Jul 2004, Stefano Bonnin wrote:
>>
>>
>>>2004-07-15 14:03:40 LOG:  could not load root certificate file
>>>"/usr/local/pgsql-7.4.2/bin/../../pgsql-7.4.1/data/root.crt": No such
>
> file
>
>>>or directory
>>>DETAIL:  Will not verify client certificates.
>>
>>This is fine.  You do not need a root.crt file.   This is used to
>>authenticate clients to the server which is optional and not necessary to
>>establish a SSL connection.
>>
>>Again the problem seems to be that you have not made the server cert
>>available to the connecting jvm.  Adding -Djavax.net.debug=ssl to your
>>java command will produce a lot of debug information, but will likely
>>confirm this.  The key line will be in the first part of the output where
>>it displays which trustStore you are using.  The server cert must be in
>>this file.
>>
>>Kris Jurka
>>
>>---------------------------(end of broadcast)---------------------------
>>TIP 5: Have you checked our extensive FAQ?
>>
>>               http://www.postgresql.org/docs/faqs/FAQ.html
>>
>
>
>
> ---------------------------(end of broadcast)---------------------------
> TIP 3: if posting/reading through Usenet, please send an appropriate
>       subscribe-nomail command to majordomo@postgresql.org so that your
>       message can get through to the mailing list cleanly
>

Re: SSL Problem

From
Kris Jurka
Date:

On Fri, 16 Jul 2004, [ISO-8859-1] Jos� Carlos Stevenson wrote:

> I've been using JWS to deploy an application that uses postgresql.
> I've configured pg to use MD5 for a minimum of security (user and
> passwd) - how can I deploy an app that uses SSL WITHOUT having to run
> keytool on each machine?
> Can I "show" the certificate (self signed) and ask the user if he/she
> would like to accept it as valied? Is thera a HOWTO anywhere or some
> sample code showing how to do that?

One answer is to use a server key/cert that has been signed by a
certificate authority thats already distributed with the JVM, but that's
going to cost you money.

A number of people have asked to not require a trusted cert to get around
both this problem and something like an applet which has no control.  The
decrease in security has made me hesitant to do this.  A while back Chris
Smith proposed a patch to allow the user to supply their own
SSLSocketFactory.

http://archives.postgresql.org/pgsql-jdbc/2004-02/msg00218.php

I didn't like this at the time, but perhaps we should revisit it.

Kris Jurka