Thread: SSL connection failure

SSL connection failure

From
"David Patricola"
Date:

The server I am connecting to is Redhat with postgres 8.2, running with ssl enabled.  The client I am connecting from is Windows 2003 with ColdFusion 8 Enterprise (runs on a Java engine).  I set up all the certificates and can connect securely on my desktop with pgAdmin3.  I copied the same root.crt to the above Windows box, and installed it in the keystore using the following:

 

E:\JRun4\jre\bin>keytool -importcert -alias dca –file E:\Jrun4\jre\lib\security\root.crt -keystore E:\Jrun4\jre\lib\security\cacerts

 

After restarting java services, I retest the datasource connection (jdbc:postgresql://x.x.x.x/main?ssl) and get the fail message “org.postgresql.util.PSQLException: The connection attempt failed.” with no details in any logs to provide details.  The connection works without ssl fine.

 

I’m at a loss for where the handshake failure is occurring.  Please note that this is the closest to working with java I’ve ever done.

 

David Patricola | Senior Cold Fusion Developer | Web Applications & Services | Jefferson Information Technologies

 

Thomas Jefferson Universtiy | Philadelphia, PA | 215.503.1715 (Office)

 

Re: SSL connection failure

From
Dave Cramer
Date:
On Wed, Mar 30, 2011 at 11:27 AM, David Patricola
<david.patricola@jefferson.edu> wrote:
> The server I am connecting to is Redhat with postgres 8.2, running with ssl
> enabled.  The client I am connecting from is Windows 2003 with ColdFusion 8
> Enterprise (runs on a Java engine).  I set up all the certificates and can
> connect securely on my desktop with pgAdmin3.  I copied the same root.crt to
> the above Windows box, and installed it in the keystore using the following:
>
>
>
> E:\JRun4\jre\bin>keytool -importcert -alias dca –file
> E:\Jrun4\jre\lib\security\root.crt -keystore
> E:\Jrun4\jre\lib\security\cacerts
>
>
>
> After restarting java services, I retest the datasource connection
> (jdbc:postgresql://x.x.x.x/main?ssl) and get the fail message
> “org.postgresql.util.PSQLException: The connection attempt failed.” with no
> details in any logs to provide details.  The connection works without ssl
> fine.
>
>
>
> I’m at a loss for where the handshake failure is occurring.  Please note
> that this is the closest to working with java I’ve ever done.
>
>
>
> David Patricola | Senior Cold Fusion Developer | Web Applications & Services
> | Jefferson Information Technologies
>
>
>
> Thomas Jefferson Universtiy | Philadelphia, PA | 215.503.1715 (Office)

David,

There are no server logs either ?


Dave Cramer

dave.cramer(at)credativ(dot)ca
http://www.credativ.ca

>
>

Re: SSL connection failure

From
Maciek Sakrejda
Date:
> After restarting java services, I retest the datasource connection
> (jdbc:postgresql://x.x.x.x/main?ssl) and get the fail message
> “org.postgresql.util.PSQLException: The connection attempt failed.” with no
> details in any logs to provide details.  The connection works without ssl
> fine.

In addition to Dave's suggetion, have you configured driver-level
logging to check what's going on there? See loglevel connection
parameter and DriverManager.setLogWriter().

---
Maciek Sakrejda | System Architect | Truviso

1065 E. Hillsdale Blvd., Suite 215
Foster City, CA 94404
(650) 242-3500 Main
www.truviso.com

Re: SSL connection failure

From
"David Patricola"
Date:
Dave, the error logs only show the same error message as displayed on the
browser.

-----Original Message-----
From: pgsql-jdbc-owner@postgresql.org
[mailto:pgsql-jdbc-owner@postgresql.org] On Behalf Of Dave Cramer
Sent: Wednesday, March 30, 2011 4:50 PM
To: David Patricola
Cc: pgsql-jdbc@postgresql.org
Subject: Re: [JDBC] SSL connection failure

On Wed, Mar 30, 2011 at 11:27 AM, David Patricola
<david.patricola@jefferson.edu> wrote:
> The server I am connecting to is Redhat with postgres 8.2, running with
ssl
> enabled.  The client I am connecting from is Windows 2003 with ColdFusion
8
> Enterprise (runs on a Java engine).  I set up all the certificates and can
> connect securely on my desktop with pgAdmin3.  I copied the same root.crt
to
> the above Windows box, and installed it in the keystore using the
following:
>
>
>
> E:\JRun4\jre\bin>keytool -importcert -alias dca –file
> E:\Jrun4\jre\lib\security\root.crt -keystore
> E:\Jrun4\jre\lib\security\cacerts
>
>
>
> After restarting java services, I retest the datasource connection
> (jdbc:postgresql://x.x.x.x/main?ssl) and get the fail message
> “org.postgresql.util.PSQLException: The connection attempt failed.” with
no
> details in any logs to provide details.  The connection works without ssl
> fine.
>
>
>
> I’m at a loss for where the handshake failure is occurring.  Please note
> that this is the closest to working with java I’ve ever done.
>
>
>
> David Patricola | Senior Cold Fusion Developer | Web Applications &
Services
> | Jefferson Information Technologies
>
>
>
> Thomas Jefferson Universtiy | Philadelphia, PA | 215.503.1715 (Office)

David,

There are no server logs either ?


Dave Cramer

dave.cramer(at)credativ(dot)ca
http://www.credativ.ca

>
>

--
Sent via pgsql-jdbc mailing list (pgsql-jdbc@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-jdbc


Re: SSL connection failure

From
"David Patricola"
Date:
I don't know how to do that?  I have never coded Java so I wouldn't even
know where to start or how to re-compile it.  I only control the logging via
CF's administrator interface.

The closest I see to anything involving SSL is in a server.log file, but I
highly doubt it has any effect on what I'm doing.

"Information","scheduler-11","03/30/11","15:16:28",,"Installed JSafe JCE
provider: Version 3.6 RSA Security Inc. Crypto-J JCE Security Provider
(implements RSA, DSA, Diffie-Hellman, AES, DES, Triple DES, DESX, RC2, RC4,
RC5, PBE, MD2, MD5, RIPEMD160, SHA1, SHA224, SHA256, SHA384, SHA512,
HMAC-MD5, HMAC-RIPEMD160, HMAC-SHA1, HMAC-SHA224, HMAC-SHA256, HMAC-SHA384,
HMAC-SHA512)"

-----Original Message-----
From: Maciek Sakrejda [mailto:msakrejda@truviso.com]
Sent: Wednesday, March 30, 2011 4:55 PM
To: David Patricola
Cc: pgsql-jdbc@postgresql.org
Subject: Re: [JDBC] SSL connection failure

> After restarting java services, I retest the datasource connection
> (jdbc:postgresql://x.x.x.x/main?ssl) and get the fail message
> "org.postgresql.util.PSQLException: The connection attempt failed." with
no
> details in any logs to provide details.  The connection works without ssl
> fine.

In addition to Dave's suggetion, have you configured driver-level
logging to check what's going on there? See loglevel connection
parameter and DriverManager.setLogWriter().

---
Maciek Sakrejda | System Architect | Truviso

1065 E. Hillsdale Blvd., Suite 215
Foster City, CA 94404
(650) 242-3500 Main
www.truviso.com


Re: SSL connection failure

From
"David Patricola"
Date:
I got a much better error message finally!  ColdFusion's debug output
provided me with a much better message.  The lines that say "unable to find
valid certification path to requested target" are the biggest help, but I'm
importing server.crt into the default cacerts file under
E:\Jrun4\jre\lib\security, so is there some configuration I'm missing?


===========================================================================
org.postgresql.util.PSQLException: The connection attempt failed.
    at
org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFa
ctoryImpl.java:136)
    at
org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:
65)
    at
org.postgresql.jdbc2.AbstractJdbc2Connection.<init>(AbstractJdbc2Connection.
java:116)
    at
org.postgresql.jdbc3.AbstractJdbc3Connection.<init>(AbstractJdbc3Connection.
java:30)
    at
org.postgresql.jdbc3.Jdbc3Connection.<init>(Jdbc3Connection.java:24)
    at org.postgresql.Driver.makeConnection(Driver.java:369)
    at org.postgresql.Driver.connect(Driver.java:245)
    at
coldfusion.server.j2ee.sql.pool.JDBCPool.createPhysicalConnection(JDBCPool.j
ava:589)
    at
coldfusion.server.j2ee.sql.pool.ConnectionRunner$RunnableConnection.run(Conn
ectionRunner.java:67)
    at java.lang.Thread.run(Thread.java:619)
Caused by: javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
    at
com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
    at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1591)
    at
com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:187)
    at
com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:181)
    at
com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandsh
aker.java:975)
    at
com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshake
r.java:123)
    at
com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:516)
    at
com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:454)
    at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884
)
    at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocket
Impl.java:1096)
    at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:62
3)
    at
com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:59)
    at
java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65)
    at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:123)
    at org.postgresql.core.PGStream.flush(PGStream.java:532)
    at
org.postgresql.core.v3.ConnectionFactoryImpl.sendStartupPacket(ConnectionFac
toryImpl.java:243)
    at
org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFa
ctoryImpl.java:91)
    ... 9 more
Caused by: sun.security.validator.ValidatorException: PKIX path building
failed: sun.security.provider.certpath.SunCertPathBuilderException: unable
to find valid certification path to requested target
    at
sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:285)
    at
sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:191)
    at sun.security.validator.Validator.validate(Validator.java:218)
    at
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerI
mpl.java:126)
    at
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509Tru
stManagerImpl.java:209)
    at
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509Tru
stManagerImpl.java:249)
    at
com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandsh
aker.java:954)
    ... 21 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
    at
sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBui
lder.java:174)
    at
java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238)
    at
sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:280)
    ... 27 more

-----Original Message-----
From: Maciek Sakrejda [mailto:msakrejda@truviso.com]
Sent: Wednesday, March 30, 2011 4:55 PM
To: David Patricola
Cc: pgsql-jdbc@postgresql.org
Subject: Re: [JDBC] SSL connection failure

> After restarting java services, I retest the datasource connection
> (jdbc:postgresql://x.x.x.x/main?ssl) and get the fail message
> "org.postgresql.util.PSQLException: The connection attempt failed." with
no
> details in any logs to provide details.  The connection works without ssl
> fine.

In addition to Dave's suggetion, have you configured driver-level
logging to check what's going on there? See loglevel connection
parameter and DriverManager.setLogWriter().

---
Maciek Sakrejda | System Architect | Truviso

1065 E. Hillsdale Blvd., Suite 215
Foster City, CA 94404
(650) 242-3500 Main
www.truviso.com


Re: SSL connection failure

From
rsmogura
Date:
 On Thu, 31 Mar 2011 11:36:34 -0400, David Patricola wrote:
> I got a much better error message finally!  ColdFusion's debug output
> provided me with a much better message.  The lines that say "unable
> to find
> valid certification path to requested target" are the biggest help,
> but I'm
> importing server.crt into the default cacerts file under
> E:\Jrun4\jre\lib\security, so is there some configuration I'm
> missing?
>
>
>
> ===========================================================================
> org.postgresql.util.PSQLException: The connection attempt failed.
>     at
>
> org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFa
> ctoryImpl.java:136)
>     at
>
> org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:
> 65)
>     at
>
> org.postgresql.jdbc2.AbstractJdbc2Connection.<init>(AbstractJdbc2Connection.
> java:116)
>     at
>
> org.postgresql.jdbc3.AbstractJdbc3Connection.<init>(AbstractJdbc3Connection.
> java:30)
>     at
> org.postgresql.jdbc3.Jdbc3Connection.<init>(Jdbc3Connection.java:24)
>     at org.postgresql.Driver.makeConnection(Driver.java:369)
>     at org.postgresql.Driver.connect(Driver.java:245)
>     at
>
> coldfusion.server.j2ee.sql.pool.JDBCPool.createPhysicalConnection(JDBCPool.j
> ava:589)
>     at
>
> coldfusion.server.j2ee.sql.pool.ConnectionRunner$RunnableConnection.run(Conn
> ectionRunner.java:67)
>     at java.lang.Thread.run(Thread.java:619)
> Caused by: javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to
> find
> valid certification path to requested target
>     at
> com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
>     at
>
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1591)
>     at
> com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:187)
>     at
> com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:181)
>     at
>
> com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandsh
> aker.java:975)
>     at
>
> com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshake
> r.java:123)
>     at
>
> com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:516)
>     at
>
> com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:454)
>     at
>
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884
> )
>     at
>
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocket
> Impl.java:1096)
>     at
>
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:62
> 3)
>     at
>
> com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:59)
>     at
>
> java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65)
>     at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:123)
>     at org.postgresql.core.PGStream.flush(PGStream.java:532)
>     at
>
> org.postgresql.core.v3.ConnectionFactoryImpl.sendStartupPacket(ConnectionFac
> toryImpl.java:243)
>     at
>
> org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFa
> ctoryImpl.java:91)
>     ... 9 more
> Caused by: sun.security.validator.ValidatorException: PKIX path
> building
> failed: sun.security.provider.certpath.SunCertPathBuilderException:
> unable
> to find valid certification path to requested target
>     at
> sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:285)
>     at
>
> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:191)
>     at sun.security.validator.Validator.validate(Validator.java:218)
>     at
>
> com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerI
> mpl.java:126)
>     at
>
> com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509Tru
> stManagerImpl.java:209)
>     at
>
> com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509Tru
> stManagerImpl.java:249)
>     at
>
> com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandsh
> aker.java:954)
>     ... 21 more
> Caused by:
> sun.security.provider.certpath.SunCertPathBuilderException:
> unable to find valid certification path to requested target
>     at
>
> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBui
> lder.java:174)
>     at
> java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238)
>     at
> sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:280)
>     ... 27 more
>
> -----Original Message-----
> From: Maciek Sakrejda [mailto:msakrejda@truviso.com]
> Sent: Wednesday, March 30, 2011 4:55 PM
> To: David Patricola
> Cc: pgsql-jdbc@postgresql.org
> Subject: Re: [JDBC] SSL connection failure
>
>> After restarting java services, I retest the datasource connection
>> (jdbc:postgresql://x.x.x.x/main?ssl) and get the fail message
>> "org.postgresql.util.PSQLException: The connection attempt failed."
>> with
> no
>> details in any logs to provide details.  The connection works
>> without ssl
>> fine.
>
> In addition to Dave's suggetion, have you configured driver-level
> logging to check what's going on there? See loglevel connection
> parameter and DriverManager.setLogWriter().
>
> ---
> Maciek Sakrejda | System Architect | Truviso
>
> 1065 E. Hillsdale Blvd., Suite 215
> Foster City, CA 94404
> (650) 242-3500 Main
> www.truviso.com

 Hi,

 I think it's not PG JDBC driver problem, I found such URL parameter
 that may help sslfactory=org.postgresql.ssl.NonValidatingFactory (if it
 doesn't changed), but in addition I would like to give You some other
 hints:
 1. If You run driver in server environment then system keystore may not
 be enough. Actually, common servers like Tomcat, or Glassfish provides
 its own keystore and castore located somewhere in server directory, much
 more this store may not be standard, desktop JKS keystore, but NSS
 keystore, and importing certs there requires other tools.
 2. You need to put certificate as trusted, and/or if certificate has
 parent(s), then all those should be trusted, too.
 3. Sometimes You need to provide keystore/truststore password by adding
 -D system property to JVM launch path, not all servers gives ability to
 open keystore by using SSL sockets.

 Regards,
 Radosław Smogura
 http://softperience.eu


Re: SSL connection failure

From
"David Patricola"
Date:
Actually, I just had to add in server.crt into the default keystore.  My
problem was the IP address I had in the certificate didn't match the
hostname of the calling server.  Changing the IP to the hostname did the
trick.

-----Original Message-----
From: pgsql-jdbc-owner@postgresql.org
[mailto:pgsql-jdbc-owner@postgresql.org] On Behalf Of rsmogura
Sent: Monday, April 04, 2011 6:19 AM
To: David Patricola
Cc: 'Maciek Sakrejda'; pgsql-jdbc@postgresql.org
Subject: Re: [JDBC] SSL connection failure

 On Thu, 31 Mar 2011 11:36:34 -0400, David Patricola wrote:
> I got a much better error message finally!  ColdFusion's debug output
> provided me with a much better message.  The lines that say "unable
> to find
> valid certification path to requested target" are the biggest help,
> but I'm
> importing server.crt into the default cacerts file under
> E:\Jrun4\jre\lib\security, so is there some configuration I'm
> missing?
>
>
>
>
===========================================================================
> org.postgresql.util.PSQLException: The connection attempt failed.
>     at
>
>
org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFa
> ctoryImpl.java:136)
>     at
>
>
org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:
> 65)
>     at
>
>
org.postgresql.jdbc2.AbstractJdbc2Connection.<init>(AbstractJdbc2Connection.
> java:116)
>     at
>
>
org.postgresql.jdbc3.AbstractJdbc3Connection.<init>(AbstractJdbc3Connection.
> java:30)
>     at
> org.postgresql.jdbc3.Jdbc3Connection.<init>(Jdbc3Connection.java:24)
>     at org.postgresql.Driver.makeConnection(Driver.java:369)
>     at org.postgresql.Driver.connect(Driver.java:245)
>     at
>
>
coldfusion.server.j2ee.sql.pool.JDBCPool.createPhysicalConnection(JDBCPool.j
> ava:589)
>     at
>
>
coldfusion.server.j2ee.sql.pool.ConnectionRunner$RunnableConnection.run(Conn
> ectionRunner.java:67)
>     at java.lang.Thread.run(Thread.java:619)
> Caused by: javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to
> find
> valid certification path to requested target
>     at
> com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
>     at
>
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1591)
>     at
> com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:187)
>     at
> com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:181)
>     at
>
>
com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandsh
> aker.java:975)
>     at
>
>
com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshake
> r.java:123)
>     at
>
> com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:516)
>     at
>
>
com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:454)
>     at
>
>
com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884
> )
>     at
>
>
com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocket
> Impl.java:1096)
>     at
>
>
com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:62
> 3)
>     at
>
>
com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:59)
>     at
>
> java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65)
>     at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:123)
>     at org.postgresql.core.PGStream.flush(PGStream.java:532)
>     at
>
>
org.postgresql.core.v3.ConnectionFactoryImpl.sendStartupPacket(ConnectionFac
> toryImpl.java:243)
>     at
>
>
org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFa
> ctoryImpl.java:91)
>     ... 9 more
> Caused by: sun.security.validator.ValidatorException: PKIX path
> building
> failed: sun.security.provider.certpath.SunCertPathBuilderException:
> unable
> to find valid certification path to requested target
>     at
> sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:285)
>     at
>
>
sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:191)
>     at sun.security.validator.Validator.validate(Validator.java:218)
>     at
>
>
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerI
> mpl.java:126)
>     at
>
>
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509Tru
> stManagerImpl.java:209)
>     at
>
>
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509Tru
> stManagerImpl.java:249)
>     at
>
>
com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandsh
> aker.java:954)
>     ... 21 more
> Caused by:
> sun.security.provider.certpath.SunCertPathBuilderException:
> unable to find valid certification path to requested target
>     at
>
>
sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBui
> lder.java:174)
>     at
> java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238)
>     at
> sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:280)
>     ... 27 more
>
> -----Original Message-----
> From: Maciek Sakrejda [mailto:msakrejda@truviso.com]
> Sent: Wednesday, March 30, 2011 4:55 PM
> To: David Patricola
> Cc: pgsql-jdbc@postgresql.org
> Subject: Re: [JDBC] SSL connection failure
>
>> After restarting java services, I retest the datasource connection
>> (jdbc:postgresql://x.x.x.x/main?ssl) and get the fail message
>> "org.postgresql.util.PSQLException: The connection attempt failed."
>> with
> no
>> details in any logs to provide details.  The connection works
>> without ssl
>> fine.
>
> In addition to Dave's suggetion, have you configured driver-level
> logging to check what's going on there? See loglevel connection
> parameter and DriverManager.setLogWriter().
>
> ---
> Maciek Sakrejda | System Architect | Truviso
>
> 1065 E. Hillsdale Blvd., Suite 215
> Foster City, CA 94404
> (650) 242-3500 Main
> www.truviso.com

 Hi,

 I think it's not PG JDBC driver problem, I found such URL parameter
 that may help sslfactory=org.postgresql.ssl.NonValidatingFactory (if it
 doesn't changed), but in addition I would like to give You some other
 hints:
 1. If You run driver in server environment then system keystore may not
 be enough. Actually, common servers like Tomcat, or Glassfish provides
 its own keystore and castore located somewhere in server directory, much
 more this store may not be standard, desktop JKS keystore, but NSS
 keystore, and importing certs there requires other tools.
 2. You need to put certificate as trusted, and/or if certificate has
 parent(s), then all those should be trusted, too.
 3. Sometimes You need to provide keystore/truststore password by adding
 -D system property to JVM launch path, not all servers gives ability to
 open keystore by using SSL sockets.

 Regards,
 Radoslaw Smogura
 http://softperience.eu


--
Sent via pgsql-jdbc mailing list (pgsql-jdbc@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-jdbc