Thread: ssl connection strangely stops working
Dear List I am not a very experienced user of jdbc although have been using postgresql for many years having done many server installation and administering them. From three different systems (mac, windows, and centos virtualbox) behind 1 ip address I had succeeded in getting ssl connection to a remote server via jdbc. (That after much struggle on centOS glassfish; turns out i had to run "asadmin set domain.resources.jdbc-connection-pool.connectionPool.property.JDBC30DataSource=true" at glassfish account) On mac and windows the connection is set up via netbeans/glassfish. All were working very well for about two weeks up until yesterday evening. Today all three connections stop working for no apparent reason. I had not touched any settings on the postgresql server. In server log I only get this, LOG: could not accept SSL connection: sslv3 alert certificate unknown Yes I googled this problem and find pages seemingly not relevant to my problem. I know I have ssl connection right because it was working just 24 hours ago with no changes in server or client settings. Even weirder I can still connect to this server using psql from centOS virtualbox. See this ------------------ /usr/local/pg/bin/psql -U mail -h server.address -p 5433 mail Password for user mail: psql (9.0.2) SSL connection (cipher: DHE-RSA-AES256-SHA, bits: 256) Type "help" for help. mail=> ----------- Any suggestions? Do I suddenly need to enter server ssl cert into keystore of glassfish server now? But I didn't need it before! Some webpages mention using property sslfactory=org.postgresql.ssl.NonValidatingFactory That does not seem to help much. Thanks mr wu
the problem was traced to server certificate expiration the problematic server cert is signed by a commercial CA. i think problem is caused by jdbc not connecting to expired certificate however jdbc had not been checking that hostname is the same as CN ; so i had assumed that i does no other checking. since psql was working it confused me even more. replacing with unexpired commercial certificate fixes the problem although this new cert CN does match the hostname. jdbc also does not like unexpired server cert signed by the company CA. good to learn something new. very sorry about the noise. On Fri, Feb 4, 2011 at 8:48 PM, zhong ming wu <mr.z.m.wu@gmail.com> wrote: > Dear List > > I am not a very experienced user of jdbc although have been using > postgresql for many years having done many server installation and > administering them. > > From three different systems (mac, windows, and centos virtualbox) > behind 1 ip address I had succeeded in getting ssl connection to a > remote server via jdbc. (That after much struggle on centOS > glassfish; turns out i had to run > "asadmin set domain.resources.jdbc-connection-pool.connectionPool.property.JDBC30DataSource=true" > at glassfish account) > > On mac and windows the connection is set up via netbeans/glassfish. > All were working very well for about two weeks up until yesterday > evening. > > Today all three connections stop working for no apparent reason. I > had not touched any settings on the postgresql server. > > In server log I only get this, > > LOG: could not accept SSL connection: sslv3 alert certificate unknown > > Yes I googled this problem and find pages seemingly not relevant to my > problem. I know I have ssl connection right because it was working > just 24 hours ago with no changes in server or client settings. > > Even weirder I can still connect to this server using psql from centOS > virtualbox. See this > ------------------ > /usr/local/pg/bin/psql -U mail -h server.address -p 5433 mail > Password for user mail: > psql (9.0.2) > SSL connection (cipher: DHE-RSA-AES256-SHA, bits: 256) > Type "help" for help. > > mail=> > ----------- > > Any suggestions? Do I suddenly need to enter server ssl cert into > keystore of glassfish server now? But I didn't need it before! > > Some webpages mention using property > sslfactory=org.postgresql.ssl.NonValidatingFactory > > That does not seem to help much. > > Thanks > > mr wu >
I don't think JDBC driver use custom SSL "validators" including host name and certificate chains, if you don't specify one with socket factory. It lies on this what is available in JVM. It's looks like in this way Sun SSL sockets works. May I ask what GF version do you use and did you specified trustore passwords configuration in -D propperties? I actually use GF and I was in need to configure truststores per JVM level (- D) to use SSL sockets in (v3.1 releases). I don't like this soulution as it require to provide clear text master password. Kind regards, Radosław Smogura http://softperience.eu zhong ming wu <mr.z.m.wu@gmail.com> Saturday 05 February 2011 03:50:37 > the problem was traced to server certificate expiration > > the problematic server cert is signed by a commercial CA. i think > problem is caused by jdbc not connecting to expired certificate > > however jdbc had not been checking that hostname is the same as CN ; > so i had assumed that i does no other checking. > > since psql was working it confused me even more. replacing with > unexpired commercial certificate fixes the problem although this new > cert CN does match the hostname. > > jdbc also does not like unexpired server cert signed by the company CA. > > good to learn something new. > > very sorry about the noise. > > On Fri, Feb 4, 2011 at 8:48 PM, zhong ming wu <mr.z.m.wu@gmail.com> wrote: > > Dear List > > > > I am not a very experienced user of jdbc although have been using > > postgresql for many years having done many server installation and > > administering them. > > > > From three different systems (mac, windows, and centos virtualbox) > > behind 1 ip address I had succeeded in getting ssl connection to a > > remote server via jdbc. (That after much struggle on centOS > > glassfish; turns out i had to run > > "asadmin set > > domain.resources.jdbc-connection-pool.connectionPool.property.JDBC30Data > > Source=true" at glassfish account) > > > > On mac and windows the connection is set up via netbeans/glassfish. > > All were working very well for about two weeks up until yesterday > > evening. > > > > Today all three connections stop working for no apparent reason. I > > had not touched any settings on the postgresql server. > > > > In server log I only get this, > > > > LOG: could not accept SSL connection: sslv3 alert certificate unknown > > > > Yes I googled this problem and find pages seemingly not relevant to my > > problem. I know I have ssl connection right because it was working > > just 24 hours ago with no changes in server or client settings. > > > > Even weirder I can still connect to this server using psql from centOS > > virtualbox. See this > > ------------------ > > /usr/local/pg/bin/psql -U mail -h server.address -p 5433 mail > > Password for user mail: > > psql (9.0.2) > > SSL connection (cipher: DHE-RSA-AES256-SHA, bits: 256) > > Type "help" for help. > > > > mail=> > > ----------- > > > > Any suggestions? Do I suddenly need to enter server ssl cert into > > keystore of glassfish server now? But I didn't need it before! > > > > Some webpages mention using property > > sslfactory=org.postgresql.ssl.NonValidatingFactory > > > > That does not seem to help much. > > > > Thanks > > > > mr wu
On Sat, Feb 5, 2011 at 3:58 AM, Radosław Smogura <rsmogura@softperience.eu> wrote: > I don't think JDBC driver use custom SSL "validators" including host name and > certificate chains, if you don't specify one with socket factory. It lies on > this what is available in JVM. It's looks like in this way Sun SSL sockets > works. Very likely that the settings is in JVM. When I wrote above reply I made it work on Mac. GF is using JVM of Apple. I am still struggling to make it work on windows 7 which uses Oracle JVM. Also in my replied above I meant to write that there is still hostname/CN mismatch with new unexpired commercial CA. > > May I ask what GF version do you use and did you specified trustore passwords > configuration in -D propperties? > I actually use GF and I was in need to configure truststores per JVM level (- > D) to use SSL sockets in (v3.1 releases). I don't like this soulution as it > require to provide clear text master password. 3.0.latest password is set via web console -> jdbc -> connection poll ->. Then I entered password in one of properties form input. The instructions I followed is in netbeans ecommerce tutorial. I also dislike using password. With other languages/drivers I use client certificate. I could not find a way to use client certificate with jdbc
zhong ming wu <mr.z.m.wu@gmail.com> Saturday 05 February 2011 15:31:30 > On Sat, Feb 5, 2011 at 3:58 AM, Radosław Smogura > > <rsmogura@softperience.eu> wrote: > > I don't think JDBC driver use custom SSL "validators" including host name > > and certificate chains, if you don't specify one with socket factory. It > > lies on this what is available in JVM. It's looks like in this way Sun > > SSL sockets works. I was asking because I was need to configure truststore password with -D (realy unsecure, because ps -wwx will show it), to make GF to open LDAPS connection - I have self signed cert. > Very likely that the settings is in JVM. When I wrote above reply I > made it work on Mac. > GF is using JVM of Apple. I am still struggling to make it work on > windows 7 which uses Oracle JVM. I tested GF 3.1 on IBM JDK. I looked into sources, there are many many places that depends on Sun JVM implementation and Sun JDK. I wrote few lines to make this work, but hmmm... many places left. > Also in my replied above I meant to write that there is still > hostname/CN mismatch with new unexpired commercial CA. > I didn't found, at a glance any piece of code that adds custom cert or host name validation in JDBC driver, it uses this what will get from system. <snip> Regards, Radek
On Sat, Feb 5, 2011 at 11:08 AM, Radosław Smogura <rsmogura@softperience.eu> wrote: > I was asking because I was need to configure truststore password with -D > (realy unsecure, because ps -wwx will show it), to make GF to open LDAPS > connection - I have self signed cert. > >> Very likely that the settings is in JVM. When I wrote above reply I >> made it work on Mac. >> GF is using JVM of Apple. I am still struggling to make it work on >> windows 7 which uses Oracle JVM. > I tested GF 3.1 on IBM JDK. I looked into sources, there are many many places > that depends on Sun JVM implementation and Sun JDK. I wrote few lines to make > this work, but hmmm... many places left. > >> Also in my replied above I meant to write that there is still >> hostname/CN mismatch with new unexpired commercial CA. >> > > I didn't found, at a glance any piece of code that adds custom cert or host > name validation in JDBC driver, it uses this what will get from system. > <snip> It's nice to know that all the problems can be traced to JVM settings. FWIW, I ended using 'sslfactory=org.postgresql.ssl.NonViladatingFactory' on Windows 7 which I didn't need on Mac. Have you looked into 'keytool' ? That lets you manipulate the certificates that JVM relies on. What I am not sure is where one must enter server certificates one by one into JVM or whether one can enter a CA.
zhong ming wu <mr.z.m.wu@gmail.com> Saturday 05 February 2011 22:11:50 > On Sat, Feb 5, 2011 at 11:08 AM, Radosław Smogura > > It's nice to know that all the problems can be traced to JVM settings. > > FWIW, I ended using > 'sslfactory=org.postgresql.ssl.NonViladatingFactory' on Windows 7 > which I didn't need on Mac. > > Have you looked into 'keytool' ? That lets you manipulate the > certificates that JVM relies on. What I am not sure is where one must > enter server certificates one by one into JVM or whether one can enter > a CA. Sueficinet is to put parent cert (or self-signed) cert in truststore, but standard validator validates certs expirantion date. I don't know if parent cert must be self-signed. Actually I have own CA, so it was sueficient to put CA cert in truststore. If SSL doesn't want to work with this -Djavax.net.ssl.trustStorePassword=changeit may help,"chageit" is standard master password.