Thread: SSL connection issue with JDBC

DISCLAIMER
==========
This e-mail may contain privileged and confidential information which is the property of Persistent Systems Ltd. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Persistent Systems Ltd. does not accept any liability for virus infected mails.

Hi,

 

Details required:-

 

JDBC driver build number:- postgresql-9.1-903.jdbc4

 

Server version:- PostgreSQL 11.2 (Ubuntu 11.2-1.pgdg16.04+1) on x86_64-pc-linux-gnu, compiled by gcc (Ubuntu 5.4.0-6ubuntu1~16.04.11) 5.4.0 20160609, 64-bit

 

Exact error message and stacktrace:-

 

org.postgresql.util.PSQLException: The connection attempt failed.

                at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:150)

                at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:64)

                at org.postgresql.jdbc2.AbstractJdbc2Connection.<init>(AbstractJdbc2Connection.java:123)

                at org.postgresql.jdbc3.AbstractJdbc3Connection.<init>(AbstractJdbc3Connection.java:28)

                at org.postgresql.jdbc3g.AbstractJdbc3gConnection.<init>(AbstractJdbc3gConnection.java:20)

                at org.postgresql.jdbc4.AbstractJdbc4Connection.<init>(AbstractJdbc4Connection.java:30)

                at org.postgresql.jdbc4.Jdbc4Connection.<init>(Jdbc4Connection.java:22)

                at org.postgresql.Driver.makeConnection(Driver.java:391)

                at org.postgresql.Driver.connect(Driver.java:265)

                at java.sql.DriverManager.getConnection(DriverManager.java:675)

                at java.sql.DriverManager.getConnection(DriverManager.java:219)

                at com.utility.PostgresSSL.main(PostgresSSL.java:24)

Caused by: javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:

                java.security.cert.CertPathValidatorException: The certificate issued by CN=certificate-authority is not trusted; internal cause is:

                java.security.cert.CertPathValidatorException: Certificate chaining error

                at com.ibm.jsse2.j.a(j.java:12)

                at com.ibm.jsse2.as.a(as.java:118)

                at com.ibm.jsse2.C.a(C.java:193)

                at com.ibm.jsse2.C.a(C.java:245)

                at com.ibm.jsse2.D.a(D.java:242)

                at com.ibm.jsse2.D.a(D.java:56)

                at com.ibm.jsse2.C.r(C.java:69)

                at com.ibm.jsse2.C.a(C.java:580)

                at com.ibm.jsse2.as.a(as.java:512)

                at com.ibm.jsse2.as.i(as.java:969)

                at com.ibm.jsse2.as.a(as.java:176)

                at com.ibm.jsse2.h.write(h.java:36)

                at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:93)

                at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:151)

                at org.postgresql.core.PGStream.flush(PGStream.java:521)

                at org.postgresql.core.v3.ConnectionFactoryImpl.sendStartupPacket(ConnectionFactoryImpl.java:257)

                at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:103)

                ... 11 more

Caused by: com.ibm.jsse2.util.h: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:

                java.security.cert.CertPathValidatorException: The certificate issued by CN=certificate-authority is not trusted; internal cause is:

                java.security.cert.CertPathValidatorException: Certificate chaining error

                at com.ibm.jsse2.util.f.a(f.java:35)

                at com.ibm.jsse2.util.f.b(f.java:96)

                at com.ibm.jsse2.util.e.a(e.java:19)

                at com.ibm.jsse2.aA.a(aA.java:132)

                at com.ibm.jsse2.aA.a(aA.java:39)

                at com.ibm.jsse2.aA.checkServerTrusted(aA.java:27)

                at com.ibm.jsse2.D.a(D.java:110)

                ... 23 more

Caused by: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:

                java.security.cert.CertPathValidatorException: The certificate issued by CN=certificate-authority is not trusted; internal cause is:

                java.security.cert.CertPathValidatorException: Certificate chaining error

                at com.ibm.security.cert.PKIXCertPathBuilderImpl.engineBuild(PKIXCertPathBuilderImpl.java:422)

                at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)

                at com.ibm.jsse2.util.f.a(f.java:49)

                ... 29 more

Caused by: java.security.cert.CertPathValidatorException: The certificate issued by CN=certificate-authority is not trusted; internal cause is:

                java.security.cert.CertPathValidatorException: Certificate chaining error

                at com.ibm.security.cert.BasicChecker.<init>(BasicChecker.java:111)

                at com.ibm.security.cert.PKIXCertPathValidatorImpl.engineValidate(PKIXCertPathValidatorImpl.java:199)

                at com.ibm.security.cert.PKIXCertPathBuilderImpl.myValidator(PKIXCertPathBuilderImpl.java:749)

                at com.ibm.security.cert.PKIXCertPathBuilderImpl.buildCertPath(PKIXCertPathBuilderImpl.java:661)

                at com.ibm.security.cert.PKIXCertPathBuilderImpl.buildCertPath(PKIXCertPathBuilderImpl.java:607)

                at com.ibm.security.cert.PKIXCertPathBuilderImpl.engineBuild(PKIXCertPathBuilderImpl.java:368)

                ... 31 more

Caused by: java.security.cert.CertPathValidatorException: Certificate chaining error

                at com.ibm.security.cert.CertPathUtil.findIssuer(CertPathUtil.java:316)

                at com.ibm.security.cert.BasicChecker.<init>(BasicChecker.java:108)

                ... 36 more

 

 

What you were doing, ideally in code form:-

 

We are working on Connecting to Postgresql database via SSL through Java JDBC. We are not able to establish SSL connection, but non SSL connection is working. Postgresql SSL server has been set up at our end and if we connect to it using pgAdmin4 client we are able to connect to it via SSL but the same is not working in JAVA using JDBC.

 

In the jave program if we provide the connection string parameter ("sslfactory", "org.postgresql.ssl.NonValidatingFactory"), this property will ignore the certificate validation and connect via SSL, but we want to connect with passing certificates only.

 

If we try to run the program with certificates in the parameter we get error as posted above.

 

Code:-

 

String url = "jdbc:postgresql://<host>:5432/postgres";

                                Properties props = new Properties();

                                props.setProperty("user","postgres");

                                props.setProperty("password","temp4now");

                                props.setProperty("ssl","true");

                                props.setProperty("sslcert", "C:\\Users\\user1\\Desktop\\postgresSsl\\client\\postgresql.crt");

                                props.setProperty("sslkey", "C:\\Users\\user1\\Desktop\\postgresSsl\\client\\postgresql.key");

                                props.setProperty("sslrootcert", "C:\\Users\\user1\\Desktop\\postgresSsl\\client\\root.crt");

  Connection conn = DriverManager.getConnection(url, props);

 

 

 

If I use latest JDBC postgrsql driver "postgresql-42.2.5" then I get below error.

 

org.postgresql.util.PSQLException: SSL error: Received fatal alert: unexpected_message

                at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:42)

                at org.postgresql.core.v3.ConnectionFactoryImpl.enableSSL(ConnectionFactoryImpl.java:435)

                at org.postgresql.core.v3.ConnectionFactoryImpl.tryConnect(ConnectionFactoryImpl.java:94)

                at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:192)

                at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:49)

                at org.postgresql.jdbc.PgConnection.<init>(PgConnection.java:195)

                at org.postgresql.Driver.makeConnection(Driver.java:454)

                at org.postgresql.Driver.connect(Driver.java:256)

                at java.sql.DriverManager.getConnection(DriverManager.java:675)

                at java.sql.DriverManager.getConnection(DriverManager.java:219)

                at com.utility.PostgresSSL.main(PostgresSSL.java:23)

Caused by: javax.net.ssl.SSLException: Received fatal alert: unexpected_message

                at com.ibm.jsse2.j.a(j.java:35)

                at com.ibm.jsse2.j.a(j.java:31)

                at com.ibm.jsse2.as.b(as.java:806)

                at com.ibm.jsse2.as.a(as.java:102)

                at com.ibm.jsse2.as.i(as.java:969)

                at com.ibm.jsse2.as.a(as.java:680)

                at com.ibm.jsse2.as.startHandshake(as.java:859)

                at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:40)

                ... 10 more

 

 

 

 

I tried to search a lot but was not able to find the solution for this. Let me know which driver to use for this and if anything I am missing in this.

 

Thanks,

Anup

Update you jdbc driver to current release.

DISCLAIMER
==========
This e-mail may contain privileged and confidential information which is the property of Persistent Systems Ltd. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Persistent Systems Ltd. does not accept any liability for virus infected mails.

If I use latest JDBC postgrsql driver "postgresql-42.2.5" then I get below error.

 Anup

Update you jdbc driver to current release.

Sounds like that was done.

Are you sure your SSL certs are recognized?  The original exception suggests an issue with trust along the chain:

Caused by: java.security.cert.CertPathValidatorException: The certificate issued by CN=certificate-authority is not trusted; internal cause is:

                java.security.cert.CertPathValidatorException: Certificate chaining error

That does seem an unexpected CN.  Both your java cacerts and postgres would have to share the CA certs needed to validate the full chain.

David