Re: SSL connection issue with JDBC

On 5/14/19 6:35 AM, Anupkumar Seth wrote:
>
> Hi,
>
> Details required:-
>
> *_JDBC driver build number:-_* postgresql-9.1-903.jdbc4
>
> *_Server version:-_* PostgreSQL 11.2 (Ubuntu 11.2-1.pgdg16.04+1) on
> x86_64-pc-linux-gnu, compiled by gcc (Ubuntu 5.4.0-6ubuntu1~16.04.11)
> 5.4.0 20160609, 64-bit
>
> *_Exact error message and stacktrace:- _*
>
> org.postgresql.util.PSQLException: The connection attempt failed.
>
>                 at
> org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:150)
>
>                 at
> org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:64)
>
>                 at
> org.postgresql.jdbc2.AbstractJdbc2Connection.<init>(AbstractJdbc2Connection.java:123)
>
>                 at
> org.postgresql.jdbc3.AbstractJdbc3Connection.<init>(AbstractJdbc3Connection.java:28)
>
>                 at
> org.postgresql.jdbc3g.AbstractJdbc3gConnection.<init>(AbstractJdbc3gConnection.java:20)
>
>                 at
> org.postgresql.jdbc4.AbstractJdbc4Connection.<init>(AbstractJdbc4Connection.java:30)
>
>                 at
> org.postgresql.jdbc4.Jdbc4Connection.<init>(Jdbc4Connection.java:22)
>
>                 at org.postgresql.Driver.makeConnection(Driver.java:391)
>
>                 at org.postgresql.Driver.connect(Driver.java:265)
>
>                 at
> java.sql.DriverManager.getConnection(DriverManager.java:675)
>
>                 at
> java.sql.DriverManager.getConnection(DriverManager.java:219)
>
>                 at com.utility.PostgresSSL.main(PostgresSSL.java:24)
>
> Caused by: javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h:
> PKIX path building failed:
> java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl
> could not build a valid CertPath.; internal cause is:
>
> java.security.cert.CertPathValidatorException: The certificate issued
> by CN=certificate-authority is not trusted; internal cause is:
>
> java.security.cert.CertPathValidatorException: Certificate chaining error
>
>                 at com.ibm.jsse2.j.a(j.java:12)
>
>                 at com.ibm.jsse2.as.a(as.java:118)
>
>                 at com.ibm.jsse2.C.a(C.java:193)
>
>                 at com.ibm.jsse2.C.a(C.java:245)
>
>                 at com.ibm.jsse2.D.a(D.java:242)
>
>                 at com.ibm.jsse2.D.a(D.java:56)
>
>                 at com.ibm.jsse2.C.r(C.java:69)
>
>                 at com.ibm.jsse2.C.a(C.java:580)
>
>                 at com.ibm.jsse2.as.a(as.java:512)
>
>                 at com.ibm.jsse2.as.i(as.java:969)
>
>                 at com.ibm.jsse2.as.a(as.java:176)
>
>                 at com.ibm.jsse2.h.write(h.java:36)
>
>                 at
> java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:93)
>
>                 at
> java.io.BufferedOutputStream.flush(BufferedOutputStream.java:151)
>
>                 at org.postgresql.core.PGStream.flush(PGStream.java:521)
>
>                 at
> org.postgresql.core.v3.ConnectionFactoryImpl.sendStartupPacket(ConnectionFactoryImpl.java:257)
>
>                 at
> org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:103)
>
>                 ... 11 more
>
> Caused by: com.ibm.jsse2.util.h: PKIX path building failed:
> java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl
> could not build a valid CertPath.; internal cause is:
>
> java.security.cert.CertPathValidatorException: The certificate issued
> by CN=certificate-authority is not trusted; internal cause is:
>
> java.security.cert.CertPathValidatorException: Certificate chaining error
>
>                 at com.ibm.jsse2.util.f.a(f.java:35)
>
>                 at com.ibm.jsse2.util.f.b(f.java:96)
>
>                 at com.ibm.jsse2.util.e.a(e.java:19)
>
>                 at com.ibm.jsse2.aA.a(aA.java:132)
>
>                 at com.ibm.jsse2.aA.a(aA.java:39)
>
>                 at com.ibm.jsse2.aA.checkServerTrusted(aA.java:27)
>
>                 at com.ibm.jsse2.D.a(D.java:110)
>
>                 ... 23 more
>
> Caused by: java.security.cert.CertPathBuilderException:
> PKIXCertPathBuilderImpl could not build a valid CertPath.; internal
> cause is:
>
> java.security.cert.CertPathValidatorException: The certificate issued
> by CN=certificate-authority is not trusted; internal cause is:
>
> java.security.cert.CertPathValidatorException: Certificate chaining error
>
>                 at
> com.ibm.security.cert.PKIXCertPathBuilderImpl.engineBuild(PKIXCertPathBuilderImpl.java:422)
>
>                 at
> java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
>
>                 at com.ibm.jsse2.util.f.a(f.java:49)
>
>                 ... 29 more
>
> Caused by: java.security.cert.CertPathValidatorException: The
> certificate issued by CN=certificate-authority is not trusted;
> internal cause is:
>
> java.security.cert.CertPathValidatorException: Certificate chaining error
>
>                 at
> com.ibm.security.cert.BasicChecker.<init>(BasicChecker.java:111)
>
>                 at
> com.ibm.security.cert.PKIXCertPathValidatorImpl.engineValidate(PKIXCertPathValidatorImpl.java:199)
>
>                 at
> com.ibm.security.cert.PKIXCertPathBuilderImpl.myValidator(PKIXCertPathBuilderImpl.java:749)
>
>                 at
> com.ibm.security.cert.PKIXCertPathBuilderImpl.buildCertPath(PKIXCertPathBuilderImpl.java:661)
>
>                 at
> com.ibm.security.cert.PKIXCertPathBuilderImpl.buildCertPath(PKIXCertPathBuilderImpl.java:607)
>
>                 at
> com.ibm.security.cert.PKIXCertPathBuilderImpl.engineBuild(PKIXCertPathBuilderImpl.java:368)
>
>                 ... 31 more
>
> Caused by: java.security.cert.CertPathValidatorException: Certificate
> chaining error
>
>                 at
> com.ibm.security.cert.CertPathUtil.findIssuer(CertPathUtil.java:316)
>
>                 at
> com.ibm.security.cert.BasicChecker.<init>(BasicChecker.java:108)
>
>                 ... 36 more
>
> *_What you were doing, ideally in code form:- _*
>
> We are working on Connecting to Postgresql database via SSL through
> Java JDBC. We are not able to establish SSL connection, but non SSL
> connection is working. Postgresql SSL server has been set up at our
> end and if we connect to it using pgAdmin4 client we are able to
> connect to it via SSL but the same is not working in JAVA using JDBC.
>
> In the jave program if we provide the connection string parameter
> ("sslfactory", "org.postgresql.ssl.NonValidatingFactory"), this
> property will ignore the certificate validation and connect via SSL,
> but we want to connect with passing certificates only.
>
> If we try to run the program with certificates in the parameter we get
> error as posted above.
>
> Code:-
>
> String url = "jdbc:postgresql://<host>:5432/postgres";
>
>                                 Properties props = new Properties();
>
> props.setProperty("user","postgres");
>
> props.setProperty("password","temp4now");
>
> props.setProperty("ssl","true");
>
> props.setProperty("sslcert",
> "C:\\Users\\user1\\Desktop\\postgresSsl\\client\\postgresql.crt");
>
> props.setProperty("sslkey",
> "C:\\Users\\user1\\Desktop\\postgresSsl\\client\\postgresql.key");
>
> props.setProperty("sslrootcert",
> "C:\\Users\\user1\\Desktop\\postgresSsl\\client\\root.crt");
>
>   Connection conn = DriverManager.getConnection(url, props);
>
> If I use *_latest JDBC postgrsql driver "postgresql-42.2.5"_* then I
> get below error.
>
> org.postgresql.util.PSQLException: SSL error: Received fatal alert:
> unexpected_message
>
>                 at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:42)
>
>                 at
> org.postgresql.core.v3.ConnectionFactoryImpl.enableSSL(ConnectionFactoryImpl.java:435)
>
>                 at
> org.postgresql.core.v3.ConnectionFactoryImpl.tryConnect(ConnectionFactoryImpl.java:94)
>
>                 at
> org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:192)
>
>                 at
> org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:49)
>
>                 at
> org.postgresql.jdbc.PgConnection.<init>(PgConnection.java:195)
>
>                 at org.postgresql.Driver.makeConnection(Driver.java:454)
>
>                 at org.postgresql.Driver.connect(Driver.java:256)
>
>                 at
> java.sql.DriverManager.getConnection(DriverManager.java:675)
>
>                 at
> java.sql.DriverManager.getConnection(DriverManager.java:219)
>
>                 at com.utility.PostgresSSL.main(PostgresSSL.java:23)
>
> Caused by: javax.net.ssl.SSLException: Received fatal alert:
> unexpected_message
>
>                 at com.ibm.jsse2.j.a(j.java:35)
>
>                 at com.ibm.jsse2.j.a(j.java:31)
>
>                 at com.ibm.jsse2.as.b(as.java:806)
>
>                 at com.ibm.jsse2.as.a(as.java:102)
>
>                 at com.ibm.jsse2.as.i(as.java:969)
>
>                 at com.ibm.jsse2.as.a(as.java:680)
>
>                 at com.ibm.jsse2.as.startHandshake(as.java:859)
>
>                 at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:40)
>
>                 ... 10 more
>
> I tried to search a lot but was not able to find the solution for
> this. Let me know which driver to use for this and if anything I am
> missing in this.
>
> Thanks,
>
> Anup
>
Update you jdbc driver to current release.
>
> DISCLAIMER
> ==========
> This e-mail may contain privileged and confidential information which
> is the property of Persistent Systems Ltd. It is intended only for the
> use of the individual or entity to which it is addressed. If you are
> not the intended recipient, you are not authorized to read, retain,
> copy, print, distribute or use this message. If you have received this
> communication in error, please notify the sender and delete all copies
> of this message. Persistent Systems Ltd. does not accept any liability
> for virus infected mails.